MyDoom Stops, Mutant Worm Starts

As of Thursday, the aggressive MyDoom mass-mailing virus is scheduled to stop propagating itself, but open transmission control protocol (TCP) ports on millions of computers worldwide mean that malicious hackers still have the upper hand.

The W32.Novarg.A@mm (MyDoom) virus, which spread at an alarming rate in late January, is programmed to stop its distributed denial-of-service (DDoS) attack against the home page of the SCO Group on Thursday, meaning e-mail servers can expect some respite from the attachments. However, because the original MyDoom opens TCP ports 3127 through 3198 and sets up a backdoor to commandeer infected machines, security analysts expect numerous mutants to appear in the coming weeks.

In an added twist, anti-virus firms are reporting the discovery of a “friendly” virus resembling the Welchia/Nachi that is attempting to clean up after MyDoom. Experts are calling the Nachi/Welchia variant Nachi-B.

Security research firm F-Secure issued an advisory on Thursday, warning that the Welchia copycat is squirming though the same remote procedure call (RPC) holes exploited by the Blaster virus and attempting to clean up after MyDoom.

Sophos also issued an alert after spotting Nachi/Welchia early Thursday. The company said the worm infects the computer without asking the user’s permission and hunts for traces of the MyDoom worms. “If a MyDoom infection is found, the Nachi-B worm attempts to remove it and download patches to fix the Microsoft vulnerability,” Sophos said in an alert.

Sophos senior security analyst Chris Belthoff, however, stressed that there is “no such thing as a good virus.”

“Nachi-B infects innocent computers without permission, steals network bandwidth, CPU time and hard disk space, and makes changes to a computer’s setup and data. A worm can easily get out of control or cause unexpected conflicts,” he said.

The original Nachi/Welchia worm, first detected last August as a fix from the destructive Blaster, caused major disruptions for business IT administrators. The fact that a new variant can successfully infect machines through the well-known distributed component object model (DCOM) RPC vulnerability means that computer users have still not applied the Microsoft patch that was made available since July 16 last year.

The purported “friendly” worm is just one of many mutants hammering inboxes and mail servers. With open ports available on unpatched systems, malicious hackers have the ability to connect and use infected PCs as proxies and to download and execute arbitrary files.

That effectively means that any unpatched system, estimated in the millions based on active IP scanning statistics to and from open ports, could potentially fall under the control of virus writers.

Microsoft has posted a detailed advisory on its security Web site to alert Windows users of the fast-spreading mutants. The company said various versions of MyDoom (Doomjuice, MyDoom.B and MyDoom.C) are causing computers to be used in attacks against other computers on the Internet.

The company also made the unusual move of releasing a MyDoom removal tool to help detect and clean up after the viruses. The Microsoft removal tool will also close the TCP ports to avoid a machine from being re-infected even if an infected e-mail attachment is re-executed.

Adapted from internetnews.com.