Sophos researchers have reported an increase in sightings of the
email worm first seen on 20 February. The worm, which travels via
email, contains a malicious payload which attempts to launch denial
of service attacks against Microsoft and the RIAA (Recording
Industry Association of America), which represents record labels
including EMI, Virgin and Warner Bros.
The MyDoom-F worm, which uses a wide variety of different
subject lines, message bodies and attachment names, deletes 40% of
graphic files, Word documents, Excel spreadsheets and Access
databases it finds on infected computers. It also opens a backdoor
on infected computers that could allow malicious hackers to run
unauthorised code remotely.
Between the 17th and 22nd of any month the worm will attempt a
distributed denial of service attack. There is a one third chance
that the attack will be against riaa.com otherwise the attack will
be against www.microsoft.com.
"This worm is being sighted in larger numbers, suggesting that
not all computers have properly protected themselves with the
latest anti-virus updates," said Graham Cluley, senior technology
consultant for Sophos. "Protection is essential if you are to play
your part as a responsible net citizen - or else your computer
could become part of the zombie army which will launch the attack
on the websites of Microsoft or the RIAA."
Unlike earlier variants of the MyDoom worm, this variant does
not have a "suicide date" at which it stops spreading, and its
author appears to have left a message inside it:
.-==I am "Irony", made by jxq7==-.
"It's hard to say whether this variant of MyDoom is written by
the same person who constructed the earlier versions of the worm,
as the source code for W32/MyDoom-A was spread widely by the
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.