MyDoom author may be covering tracks

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-7349_3-5156836.html

By Robert Lemos 
Staff Writer, CNET News.com
February 10, 2004

A worm that started spreading on Sunday places the source code for the
original MyDoom virus on victims' hard drives, an action equivalent to
planting evidence, antivirus experts said Tuesday.

The worm, Doomjuice, spreads to computers that have already been
infected by either the original MyDoom virus or the MyDoom.B variant,
and among other actions, places several copies of the source code for
MyDoom.A on a victim's computer.

The author may be using the tactic to create a crowd of PC users in
which to hide, or the author could be spreading the code in hopes that
other virus writers will create variations on MyDoom, said Graham
Cluley, senior technology consultant for antivirus company Sophos.

"If he has spread his code around the Net onto innocent computers in
an attempt to hide in the crowd, then he's more sneaky than the
average virus writer," Cluley said in a statement.

Doomjuice is one of two opportunistic programs--the other dubbed
Deadhat--that started spreading this week. Both viruses infect
computers that have already succumbed to either of the two MyDoom
viruses. Doomjuice also attempts to direct any re-infected PCs to
attack Microsoft's Web site.

Doomjuice's possession of the source code for the original MyDoom
virus suggests that the creator of the worm is also the writer of the
original virus. A word in both MyDoom viruses--the name "andy"--has
already suggested to some researchers that the original MyDoom and the
MyDoom.B variant were created by the same person or group.

Other antivirus researchers agree that the latest hostile program
could be intended to confuse investigations into who created the
viruses.

"It stands to reason that the author might be hiding his tracks," said
Craig Schmugar, virus research manager for Network Associates. "He
might be trying not to get caught."

The SCO Group and Microsoft have made separate offers of $250,000 for
information leading to the arrest and conviction of the person or
group that started spreading the MyDoom.A and MyDoom.B viruses,
respectively. If the viruses were created and released by the same
person or group, it could result in a $500,000 payoff.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.