FRAMINGHAM (02/05/2004) - Virus watchers and security experts declared the MyDoom.A worm successful this week as it forced The SCO Group Inc.'s website (www.sco.com) to shut down, while hardly disrupting overall Web traffic even though, by one company's measurement, the worm represented nearly 10 percent of worldwide e-mail volume.
According to Central Command Inc., a Medina, Ohio-based antivirus vendor, the MyDoom.A worm represented 77 percent of total confirmed infections reported to the company, and one out of every nine e-mails sent worldwide. MyDoom.A dwarfed confirmed infections of other popular worms such as Sober.C (5.9 percent of infections) and Bagle.A (2.0 percent of infections). "It's really out there," says Steven Sundermeier, vice president of products and services at Central Command. "On any other given month, Sober and Bagle would account for 17 to 21 percent of infections. The effect of MyDoom is significant enough to drop the Sober and Bagle as far down as they were."
Sundermeier says MyDoom.A was successful largely because of its simplicity. First, it used a .zip file so that it might more easily penetrate e-mail filters. Second, it used very simple and correct language. Third, it was released during normal working hours so many office users may have been infected before news of the virus spread. "It had a tech feel that piqued users' curiosity," Sundermeier says. "It showed that there's still a great need for safe computing practices."
The SCO site, the target of MyDoom.A, remained down as of this writing and had been out since 9 p.m. EST Jan. 31, according to Keynote Systems Inc., and website monitoring company. In response to the attack, SCO Group put up a duplicate site at www.thescogroup.com that has not been affected by the virus. (SCO Group is also offering a US$250,000 for information leading to the arrest and conviction of the author of the virus.) Lloyd Taylor, vice president of technology at Keynote, declared the attack "completely successful."
"The nature of the attack was elegant in an evil way," he says. "It was designed to generate to take out a specific web server without causing any collateral damage to the rest of the Internet."
The MyDoom.B worm, a coincidental worm aimed at Microsoft.com, was less successful, according to experts. AlertSite, another website monitoring company, says even though Microsoft.com experienced some degraded performance on Feb. 3 (10-20 percent worse than the previous two Tuesdays), the site was performing significantly better than Feb. 2.
Central Command's Sundermeier says that he expects the effects of MyDoom.A to persist for several weeks because it has infected some 700,000 computers. He also believes that a third variant of MyDoom will be released shortly because of the somewhat unsuccessful attack of MyDoom.B. "It's critical to maintain your antivirus software," Sundermeier says, "and it's important to maintain current MS patches as well."