, The Associated Press 2004-02-10
Finnish computer security experts warned Tuesday of a new worm, known as "Doomjuice," that is expected to attack computers infected by "Mydoom."
The virus, first detected by Helsinki-based company F-Secure on Monday night, has so far infected at least 30,000 computers worldwide since it was activated Sunday, said the company's director of antivirus research, Mikko Hypponen.Like Mydoom.A and Mydoom.B, the new worm is designed to strike Microsoft Corp.'s Windows operating systems and is programmed to launch a worldwide attack on the web site of SCO, one of the largest UNIX vendors in the world.
"Unlike Mydoom, it does not spread via e-mail. It comes through a backdoor left open by Mydoom," Hypponen told The Associated Press. "People won't even realize their computers are being attacked, and then they'll have both Mydoom and Doomjuice in their computers."
Although Mydoom is programmed to stop spreading on Feb. 12, Doomjuice could run forever, he warned. "At least until all computers everywhere infected by both worms have been cleaned up, and that could be years," Hypponen said.
Doomjuice's ability to spread is limited because it will only attack computers infected by Mydoom, Hypponen said. "And lots of them are being cleaned up already at a quick rate."
Doomjuice drops the original source code of the Mydoom.A worm in an archive to folders on infected computers.
"This proves to us that Doomjuice and Mydoom.A are written by the same people," Hypponen said. "The source code of Mydoom.A has not been seen circulating in the underground before."
Last month, Microsoft promised US$250,000 to anyone who helps find and prosecute the author of the fast-spreading Mydoom virus. The cash reward is the third so far under a US$5 million program it announced in November to help U.S. authorities catch authors of damaging virus and worm infections aimed at consumers of the company's software.
F-Secure, a Helsinki-based company, was one of the first to warn of the dangers of the e-mail Mydoom worm, also known as "Novarg."
F-Secure said it is difficult to fully assess how destructive Doomjuice has been so far, but that one sensor monitoring a fifth of the world's Internet traffic Monday found 30,000 hits.
