Weekly interest and loan rates | Northwest stock contest 2004 Tax tips | Consumer affairs | Home values

MyDoom worm not strong enough to slam Microsoft, virus experts say

By Kim Peterson
Seattle Times technology reporter

E-mail this article Print this article Search archive

A variant of the MyDoom worm is programmed to attack Microsoft's main Web site today, but anti-virus experts say the new version is badly written and has not circulated enough to cause much damage.

The variant, called MyDoom.B, is expected to attack Microsoft.com today by directing infected computers to flood the site with traffic.

A small software company in Lindon, Utah, is still reeling from a similar attack, called a denial-of-service attack, that was created by an earlier-generation worm known as MyDoom.A. That worm infected hundreds of thousands of machines last week, and had computers repeatedly visiting the Web site of The SCO Group on Sunday.

SCO was unprepared for the severity of the attack and had to shut down its Web site, at www.sco.com, in response. The company created a new Web site, at www.thescogroup.com.

Microsoft likely won't have that problem. Jimmy Kuo, a researcher with the anti-virus team at McAfee Security, based in Santa Clara, Calif., said MyDoom.B has its own flaw — a bug within a bug, so to speak — that will make the attack ineffective. About 93 percent of computers that try to attack Microsoft's site will fail, he said.

And MyDoom.B isn't really circulating on the Internet, he said. By yesterday morning, he said, McAfee had collected a sample count of millions of MyDoom.A instances, but the MyDoom.B count was in the teens.

MyDoom.B has another twist: It is programmed to block a computer's access to some 65 Web sites, including many of the top anti-virus vendors. Some of the 65 belong to Microsoft, such as its site for developers and the Windows Update site the company uses to provide security information to customers.

Microsoft has responded by creating another Web site, at https://information.microsoft.com, that isn't on the worm's hit list. Customers can go there to learn how to get rid of the worm and visit some of the company's blocked sites, said Stephen Toulouse, a security program manager at Microsoft.

This tactic of blocking access to anti-virus sites has been used before in worms, said Stephen Sundermeier, a vice president at Central Command, an anti-virus company in Medina, Ohio.

Microsoft is not saying how it plans to handle the denial-of-

service attack from MyDoom.B, but it appears that the worm is so insignificant that it will not cause a problem.

"We got lucky on that one," Sundermeier said. But he suspects there could be a MyDoom.C in the future, written by someone who learned from the mistakes of MyDoom.B. That worm could attack Microsoft's site again.

"You can probably be sure that Microsoft.com will be the target for the next one," he said.

Kim Peterson: 206-464-2360 or kpeterson@seattletimes.com

Copyright © 2004 The Seattle Times Company