Reward: US$ 250,000 For Finding Creator of MyDoom Worm
Microsoft and SCO Group have each offered US$ 250,000 to anyone who can identify the culprit(s) who wrote and sent the MYDoom and MyDoom B worms across the internet. The worm attacks the servers of SCO and Microsoft Windows.
Read Here Microsoft's advice on its website on preventing MyDoom
SCO is offering the same reward amount "for information leading to the arrest and conviction of the individual or individuals responsible for creating the Mydoom virus." The MyDoom virus, nicknamed as MyDoom-A was released on Thursday, 26 January. The Mydoom worm is also known as Novarg and Mimail.R.
It appears that members of the Open-source internet community are angry with SCO for pursuing a court case that would give legal rights to SCO on important parts of the Linux source code. Open-source is an alternative to Microsoft's dominance in the internet industry. LINUX is one product developed from open-source technology. According to IDC, Linux servers grew almost 50 percent in the third quarter of 2003.
Microsoft's reward is for information leading to the arrest and conviction of the person or persons responsible for releasing the Mydoom-B worm, which was released two days after MyDoom-A. It appears that MyDoom-B version of the virus also contains the following piece of text: "sync-1.01; andy; I'm just doing my job, nothing personal, sorry".
The FBI , the U. S. Secret Service and Interpol are working closely with Microsoft and SCO to investigate the release of the Mydoom-B worm, which Microsoft described as a "criminal" attack.
The Damage
Experts believed that MyDoom spreads faster and more "deadly" compared to last year's Sobig.F, which was considered the most widespread e-mail worm of 2003.
Mydoom quickly spreads worldwide, infecting between 400,000 and 500,000 computers as of Thursday, according to Network Associates.
The WEB HOST INDUSTRY REVIEW, reports :" Experts estimated the worm had caused more than $22.6 billion in economic damage worldwide, making it the second worst malware ever. The virus was already being called the fastest spreading virus ever, surpassing the Sobig and Blaster worms from last year. The virus leaves several ports open, which hackers can use to steal names, passwords, credit card numbers and other information.
The Mydoom-B worm is similar to the Mydoom-A worm but contains an additional scheduled denial of service attack against Microsoft's Web site and also blocks access to antivirus Web sites on infected machines. Both Mydoom variants target computers running Microsoft's Windows operating system.
The virus could be part of a new generation of viruses known as distributed intelligent malware agents, which suggested a range of motivations beyond denial of service attacks, including identity theft, online transaction fraud, spamming and phishing. "
How MyDoom Works
The worms spread through infected e-mail file attachments and the Kazaa peer-to-peer network.
MyDoom works like this: It arrives into somebody's computer via e-mail as an attachment with one of several possible file extensions, including .bat, .cmd, .exe, .pif, .scr or .zip. When a user opens the attachment, his computer becomes infected. When the attached file is executed, the worm then starts scanning the user's computer for e-mail addresses. It then forwards itself to those addresses the worms find. If the victim's computer installed the Kazaa file-sharing application, the worm will deposit several files in the Kaaza shared-files folder in an attempt to spread that way.
Even more deadly, the worms will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers, and will start sending requests for data to SCO's Web site. If enough requests are sent, the SCO site could be forced off-line.
Protection Against MyDoom
The US-CERT, a partnership between the Department of Homeland Security's National Cyber Security Division (NCSD) and the private sector, to protect the U.S's Internet infrastructure. gave this advice in its press release:
" Computer users should watch for e-mails that are received with the following subjects:
Delivery Error hello Error Mail Delivery System Mail Transaction Failed Returned mail Server Report Status Unable to deliver the message
The virus is launched when users open an infected attachment. The attachment will contain file(s) with .exe, .bat, .scr, .cmd or .pif. If the malicious attachment is executed, it then opens notepad.exe and displays garbled binary data.
To protect from infection, users should:
Avoid opening suspicious e-mail attachments Update computers with the latest anti-virus protections regularly "
Possible Suspects
Initial clues point to addresses belonging to Russian internet providers(ISPs). The Russian computer security firm Kaspersky Labs found the first few emails infected with MyDoom coming from the Russian ISPs.
The company spokesman Denis Zenkin also admitted it is possible that someone outside of Russia could also have registered the addresses in an effort to throw law enforcers off the scent.