Variant of MyDoom spotted

Anti-virus vendors in Romania, Russia and the U.S. warned Wednesday that they have identified a new variant of the mass-mailer worm known as MyDoom or Novarg, a variant that is more dangerous than the original worm that appeared Monday.

According to Russia-based Kaspersky Labs and Romania-based BitDefender, the Novarg.B variant that has just been identified spreads via e-mail and attachments like its predecessor, in addition to traveling via the Kazaa file-sharing network.

According to Kaspersky Labs, the worm is about 28K bytes in size and contains the following text: “sync-1.01: andy: I’m just doing my job, nothing personal, sorry.”

Both BitDefender and Kaspersky say the Novarg.B variant is programmed to attack the Microsoft Web site at www.microsoft.com in addition to the SCO Web site at www.sco.com that the original MyDoom/Novarg targets.

Network Associates and Symantec say they also are examining the code of the new variant. According to Jimmy Kuo, research fellow at Network Associates AVERT Labs, the second variant of MyDoom/Novarg is different in that it injects itself into the Microsoft Windows operating system directly.

“Removing it by hand is practically impossible,” he said, noting that any infection caused by the B variant will require cleanup tools. Some anti-virus vendors, including the Network Associates McAfee division and Symantec, have made free cleanup tools available for the original MyDoom/Novarg worm. They also have supplied commercial paid-for tools to their anti-virus software subscribers.

The new variant has a slightly different back door, sending out messages.

Analysis of the worm code is still ongoing at most anti-virus firms.

The new variant may be making use of infected desktops to spread. Mihai Neagu, virus researcher at BitDefender, predicted a new wave of infections of this mass mailer. It appears to be far more dangerous than the original variant. According to Kaspersky Labs, the worm appears to modify the standard “hosts” file in the Windows folder of the victim’s desktop so that the user cannot access some sites, including security-related Web sites. These appear to include sites www.f-secure.com, www.sophos.com, www.symantec.com, the www.nai.com site from Network Associates, the Kaspersky Web site at www.viruslist.ru, www.trendmicro.com, www.ca.com of Computer Associates, and several related FTP sites for security protections.

In addition, sites for DoubleClick, FastClick and others are also blocked.

Anti-virus vendors Kaspersky and Network Associates say they believe a new signature update is required to block the virus. Network managers should caution employees against opening file attachments known to carry the MyDoom and Novarg at least until new anti-virus software updates are on desktops and gateways to protect against MyDoom/Novarg version B.