MyDoom-F worm poised to attack Microsoft and record industry websites, Sophos warns of increased reports

February 24, 2004 Sophos Press Release

Download a white paper

Sophos researchers have reported an increase in sightings of the W32/MyDoom-F email worm first seen on 20 February. The worm, which travels via email, contains a malicious payload which attempts to launch denial of service attacks against Microsoft and the RIAA (Recording Industry Association of America), which represents record labels including EMI, Virgin and Warner Bros.

The MyDoom-F worm, which uses a wide variety of different subject lines, message bodies and attachment names, deletes 40% of graphic files, Word documents, Excel spreadsheets and Access databases it finds on infected computers. It also opens a backdoor on infected computers that could allow malicious hackers to run unauthorised code remotely.

Between the 17th and 22nd of any month the worm will attempt a distributed denial of service attack. There is a one third chance that the attack will be against riaa.com otherwise the attack will be against www.microsoft.com.

"This worm is being sighted in larger numbers, suggesting that not all computers have properly protected themselves with the latest anti-virus updates," said Graham Cluley, senior technology consultant for Sophos. "Protection is essential if you are to play your part as a responsible net citizen - or else your computer could become part of the zombie army which will launch the attack on the websites of Microsoft or the RIAA."

Unlike earlier variants of the MyDoom worm, this variant does not have a "suicide date" at which it stops spreading, and its author appears to have left a message inside it:

.-==I am "Irony", made by jxq7==-.

"It's hard to say whether this variant of MyDoom is written by the same person who constructed the earlier versions of the worm, as the source code for W32/MyDoom-A was spread widely by the W32/Doomjuice-A worm," continued Cluley.