• by Ross Fadner , February 3, 2004

Last week, the Norvag or MyDoom virus became the largest and most destructive computer virus in history. An untold number of computers and personal email systems have been infected by the email worm, which has now launched two separate denial of service attacks on IT firm SCO Feb. 1, and the Microsoft Corp. Feb. 3.

MyDoom.a, the email worm's initial strand, attacked software firm SCO on Sunday, culminating in one of the largest denial of service attacks ever on a single Web site. Orders contained within MyDoom's coding forced its militia of infected computer zombies to attack the SCO site 64 times a second.

Despite efforts by SCO's IT staff to keep the Web site operational, it went down Sunday morning, and should remain inaccessible until Feb. 12, when the denial of service ends, according to McAfee analyst Jimmy Kuo.

Lindon, Utah-based SCO Monday announced it had moved its Web site to www.thescogroup.com, after removing its previous URL from the Internet's global directory at 1 a.m. EST Sunday. The IT firm is reportedly at the center of a dispute involving the Linux operating system. SCO sells Unix, an older version of Linux; it has claimed copyright ownership of the open-source software and is seeking licensing fees from thousands of Linux users. The virus is said to have originated in Russia. SCO is offering a $250,000 reward for the worm's creators.

Additionally, there were reports that a similar denial of service attack would launch today on Microsoft.com. Kuo says that the Microsoft attack is directly connected to a second variant of the virus, MyDoom.b. Industry analysts are uncertain about how widespread this second strain of the virus is and whether the infected number is large enough to have a noticeable affect on Microsoft's web site. While anti-virus software manufacturers Symantec and McAfee report having the MyDoom.b strain, the extent to which the second virus will affect consumers remains unclear.

At presstime, Kuo doesn't believe that today's scheduled denial of service attack on Microsoft will happen, but Symantec Security Response Group Project Director David Loomstein expects it to take place. He does not expect the virus to be more than a minor disruption to the tech services giant, however, which has more than an ample number of servers to handle large amounts of traffic.

MyDoom.b keeps browsers from accessing ads served by DoubleClick, AtlasDMT, FastClick, and others by reducing the IP addresses of these sites to 0.0.0.0 in the infected computer's host file. DoubleClick and Atlas DMT, which had each previously released statements maintaining that the MyDoom.b virus would not cause them significant server problems, did not respond to several phone calls by presstime.

"MyDoom.b is certainly not nonexistent, but as yet it has not been confirmed to be spreading across the consumer population," Kuo said. This is not to say that MyDoom.b isn't spreading throughout the corporate world, however.

Anti-virus solutions provider McAfee suspects that the virus is currently residing in anywhere between 300,000 and 500,000 machines, and will remain in some 200,000 despite attempts to counter it with anti-virus software.

As Symantec's Loomstein notes, "It's impossible to know how many people have the virus. You could make a rough guesstimate, but it would be impossible to develop with any measure or certainty how many out there have it. There are just too many variables," he added.

Sunday's denial of service attack against SCO involved between 25 and 50,000 machines; many of the infected computers may have been turned off or have not re-booted since infection, which is necessary to trigger the attack. More computers will likely activate the denial of service command throughout the week.

Another deadly component to the virus is its "back door" implication for infected computers, which will grant hackers easy access to infected computers, allowing them to install future denial of service, spam blast, credit/password theft, and other damaging programs.

The MyDoom virus originated in Russia on Jan. 26, and by the following day it had spread to more than 168 countries. U.S. security firm MX Logic reported that 1,200 emails per second were infected with MyDoom on January 27.

MessageLabs, an email filtering company, reported 1.2 million copies of the worm in the first 24 hours, infecting one out of every nine email messages worldwide.