Mydoom Author: 'Sorry'

[Meehowski]

The Mydoom variant that joined the original virus in raising havoc on the Internet this week contains a cryptic message in which the author appears to apologize for the malicious code, security experts said Friday.

The creator of what anti-virus experts say is the fastest spreading virus ever on the Internet signed Mydoom and Mydoom.B with "andy," and left the following message in the latter version: "I'm just doing my job, nothing personal, sorry."

"Our interpretation is that he's apologizing to the general public," Jimmy Kuo, research fellow for anti-virus software maker Network Associates Technology Inc., said. "Our guess is that someone is paying him to write this thing."

Both Mydoom versions install a "backdoor" in infected PCs, enabling hackers to commandeer the machines to send spam, launch denial of service attacks or perform other nefarious acts.

Some experts, however, doubted the sincerity of the apology. Many virus writers leave cryptic messages in their code to tease investigating authorities and to pat themselves on the back for their handiwork.

"If he's really sorry, then why did he release it," Michele Morelock, technical support leader for anti-virus software maker Sophos Inc., based in Lynnfield, Mass., said. "I would imagine it's much more tongue-in-cheek than saying I'm really sorry for releasing it."

Based on their code, the Mydoom worms are scheduled to launch denial of service attacks against the SCO Group Inc. and Microsoft Corp., starting Feb. 1. A DOS attack means the infected computers are set to overload both companies' web servers with bogus information, in an attempt to prevent access by legitimate users.

Mydoom.B also prevents infected computers from accessing the web sites of Microsoft and many anti-virus software makers, making it difficult for the owner of an infected machine to get help.

Microsoft and SCO have each offered a reward of $250,000 for the arrest and conviction of the Mydoom author. Both companies are also assisting in investigations by the FBI, the U.S. Secret Service and Interpol, an international police organization.

Network Associates, Santa Clara, Calif., estimates that between a half million and a million PCs have been affected with the virus. That number continued to increase Friday at a rate of 12,000 per hour, which was the peak reached on Thursday.

"(The rate of infection) has remained flat, and we expect it to go down, especially since today is Friday and the weekend is here," Kuo said.

Postini Inc., a Redwood City, Calif.-based security company that cleanses e-mail before it reaches corporate networks, said it had intercepted more than 12.5 million copies of Mydoom and its variant since the original virus was launched on Monday.

In the first 24 hours of the attack, Postini intercepted 3.5 million copies of the virus. On Friday, the company reported an infection rate of 1 in 24 e-mails.

Based on its own customer submissions, security company Symantec Corp., Cupertino, Calif., said Mydoom was spreading on Friday at a rate of 30 percent to 40 percent less than its peak earlier in the week. Mydoom.B, on the other hand, wasn't even on the company's list of top 5 viruses.

Nevertheless, Symantec expected the viruses to continue be a threat for months.

"These viruses tend to stick around for months and months," Alfred Huger, senior director of engineering for Symantec, said. "The Internet is a very big place."

http://www.techweb.com/wire/story/TWB20040130S0011