[ISN] MyDoom author may be covering tracks

From: InfoSec News (isn@private)
Date: Wed Feb 11 2004 - 02:46:28 PST

  • Next message: InfoSec News: "[ISN] Cracks appear in Bluetooth security"

    By Robert Lemos 
    Staff Writer, CNET News.com
    February 10, 2004
    A worm that started spreading on Sunday places the source code for the
    original MyDoom virus on victims' hard drives, an action equivalent to
    planting evidence, antivirus experts said Tuesday.
    The worm, Doomjuice, spreads to computers that have already been
    infected by either the original MyDoom virus or the MyDoom.B variant,
    and among other actions, places several copies of the source code for
    MyDoom.A on a victim's computer.
    The author may be using the tactic to create a crowd of PC users in
    which to hide, or the author could be spreading the code in hopes that
    other virus writers will create variations on MyDoom, said Graham
    Cluley, senior technology consultant for antivirus company Sophos.
    "If he has spread his code around the Net onto innocent computers in
    an attempt to hide in the crowd, then he's more sneaky than the
    average virus writer," Cluley said in a statement.
    Doomjuice is one of two opportunistic programs--the other dubbed
    Deadhat--that started spreading this week. Both viruses infect
    computers that have already succumbed to either of the two MyDoom
    viruses. Doomjuice also attempts to direct any re-infected PCs to
    attack Microsoft's Web site.
    Doomjuice's possession of the source code for the original MyDoom
    virus suggests that the creator of the worm is also the writer of the
    original virus. A word in both MyDoom viruses--the name "andy"--has
    already suggested to some researchers that the original MyDoom and the
    MyDoom.B variant were created by the same person or group.
    Other antivirus researchers agree that the latest hostile program
    could be intended to confuse investigations into who created the
    "It stands to reason that the author might be hiding his tracks," said
    Craig Schmugar, virus research manager for Network Associates. "He
    might be trying not to get caught."
    The SCO Group and Microsoft have made separate offers of $250,000 for
    information leading to the arrest and conviction of the person or
    group that started spreading the MyDoom.A and MyDoom.B viruses,
    respectively. If the viruses were created and released by the same
    person or group, it could result in a $500,000 payoff.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 11 2004 - 05:40:26 PST