Two new electronic worms emerged Monday, both of which seek to exploit Windows-based PCs that have already been infected by the original MyDoom email virus. Like the weakened MyDoom.B email virus variant, however, both of the new worms are categorized as low-risk by security researchers, who note that few users have actually been compromised. And unlike MyDoom.A and MyDoom.B, the new attacks don't spread via email attachment but rather prowl the Internet looking for MyDoom-compromised computers that haven't yet been inoculated.
The first worm, dubbed Doomjuice, attempts to seize infected computers for a Distributed Denial of Service (DDoS) attack on Microsoft's Web site. The second worm, called Deadhat, removes the MyDoom virus and waits for further instructions, presumably from yet another worm; Deadhat got its start on the Soulseek file-sharing system. The antivirus experts at Network Associates note that while Doomjuice has had a bit of success, largely because some people didn't realize they were infected with MyDoom, neither worm is expected to make much of an impact.
On the other hand, Doomjuice and Deadhat prove that previous thinking on electronic attack flare-ups might be out-of-date. "Computer users cannot treat the risk from malware as an episodic situation based on a specific virus event," said Ian Hameroff, a security strategist at Computer Associates. "Instead, they need to treat the cause, be it social engineering or outdated virus definition updates, not an individual flare-up." Microsoft denied reports that Deadhat was responsible for intermittent problems on its Web site Monday, informs &to=http://www.winnetmag.com' target=_blank>Winnetmag
According to &to=http://www.theaustralian.news.com.au' target=_blank>The Australian unlike its predecessors, the variants do not flood the email boxes of infected PCs with unwanted spam.
Instead, the worms take advantage of a so-called backdoor program installed on machines infected with MyDoom.A and MyDoom.B. "It is virtually a case of a virus attacking a virus," said AusCERT computer security analyst Joel Hatton. The effects of one variant, the Deadhat or Vesser worm, is unknown. The worm seeks out infected MyDoom computers and replaces the virus, leaving the computer vulnerable to further attacks. "It could become a stepping-off point for another attack," Mr Hatton said.
"There actually aren't a huge number of users hit at the moment", according to Conor Flynn, technical director of Dublin-based Rits Information Security. "Although the antivirus companies are sending out alerts, none have gone to critical stage yet with these worms. They are nowhere near as virulent as the original MyDoom variants."