Anatomy Of A Virus – MyDoom

 

Here we are, just barely into 2004 and we’ve already had our first major virus outbreak. The infamous MyDoom virus is spreading at almost double the rate that last year’s number one virus, the “Blaster” worm achieved. I hope this isn’t a sign of things to come…

 

As many viruses as there are, many people still don’t realize exactly what a virus is, or what it can do to your computer. You should think of a computer virus in much the same way that you’d envision a biological virus. Both are composed of code (Ones and zeros in the computer virus, DNA sequences in the biological virus.) and both make their hosts sick. As with a biological virus, if you have the right medicine, you can ward off the sickness and cure the patient.

 

Biological viruses have one goal in life, to reproduce. Computer viruses can have a whole agenda of reasons for being. Since they are actually the creation of some programmer, their reason for existing is up to him/her. Most viruses are written to perform a particular task. Since the MyDoom virus is currently making the rounds, let’s explore it in more detail.

 

This virus was first seen on January 26^th, a little before 2 PM. It comes in several forms; Mydoom is only one of its names. It has other aliases: @32.Novarg.a, Win/Mydoom, I-Worm.Novarg, W32/Mydoom.A.worm, Worm_mimail.r, etc. Like many other viruses it propagates by email, though it can also be passed along in a network environment or even through P2P file sharing software such as Kazaa.

 

Once your computer is infected, the worm will take over your emailing program, scan your contact list and start sending out copies of itself to everyone you know. The virus’s code contains several “subject” and “message bodies” that it selects at random. One of the things that’s helping this virus to spread so rapidly is that the attachment it resides in takes on the form of a text file. Text files are usually safe to open. People who would never open an attachment containing a “zip” or “exe” extension don’t think twice about opening a text file. But this one is different.

 

I said earlier that people who write these viruses usually have a motive for doing so. In the case of the Mydoom virus, there is an alternative purpose. The virus is designed to spread around the world until the 1^st of February. At that time (or as soon as you turn on your computer after this date) the worm turns…and launches a DOS (denial of service) attack on the www.sco.com website. Infected computers worldwide will start bombarding sco.com with email. This is similar to how the “Blaster” virus was setup to shut down Microsoft’s website. Fortunately, the authors of that virus targeted an older, rarely used website by mistake. I doubt that SCO will be so lucky.

 

Another thing that is unusual about this virus is that it can infect all versions of Windows. The Blaster worm only infected XP and Windows 2000. So, how do you keep from getting infected? Update your virus definitions! That’s first and foremost. Then, be very selective in opening attachments of any kind, from anybody! I know, that takes a lot of the fun out of things. Do this. If someone sends you an email with an attachment…email them back and double check to see if “they” really did send it, or if it came from an infected computer. The more you know about viruses and spyware, the less likely you’ll be of getting infected. Reach me at randy@randybenjamin.com.