More Doom?

It was nearly 4 p.m. last Monday when the first suspicious-looking email popped up on Richard Wang's computer screen. Ten minutes later, a similar message arrived with the familiar "error" subject line and an icon indicating an attachment. The next arrived two minutes later. As a virus researcher at security firm Sophos's new anti-virus lab in Massachusetts, Wang sorts through a lot of suspect email each day--most of it forwarded by customers or other security firms to be examined. "But once you see three or four of these in that short a time period, you start to think this is going to be something big," he says. By the time the fourth email arrived, Wang remembers thinking, "I'm going to be late for dinner tonight."

Meanwhile, on the West Coast, his counterpart at McAfee Avert, Craig Schmugar, was seeing two to four new suspicious-looking emails every time he refreshed his screen. "There was a sudden rush in emails we had never seen before," says Schmugar, who is credited with co-discovering the virus. He named it MyDoom after spotting a line of text that included "mydom" (short for "my domain") in the virus code. " It was evident early on that this would be very big," he says. "I thought having "doom' in the name would be appropriate."

Was it ever. MyDoom--and its variation, MyDoom-B, released two days later--soon become the fastest spreading email virus in Internet history, extending into more than two dozen countries and infecting at least 500,000 machines over the past week. According to the security firm mi2g, damage estimates from the virus now range as high as $38.5 billion, taking into account everything from overtime pay to loss of business and bandwidth, as well as the cost of recovery and software upgrades. While some say that estimate may be too high, security analysts agree that the damage is in the billions.

And the worm's work isn't done yet.

Unlike some past viruses, MyDoom isn't aimed at disabling victims' computers or erasing their files (though it does disrupt email service and prevents victims from contacting many of the Web sites that offer anti-virus protection.) In fact, victims may not even be aware that their computer has been infected unless they run an anti-virus scan.

"The worst viruses [like MyDoom]," says Wang, "aren't interested in messing up your personal files or crashing your email system. They want to steal your bandwidth--take over your computer, basically--to use your PC for nefarious purposes, so it can't be tracked back to theirs."

The MyDoom worm was designed to launch later attacks from infected computers against two corporate targets: the SCO Group and Microsoft. SCO, a Utah-based software maker, earned the ire of Linux lovers--and became a regular target of attacks last year--for launching a patent claim against the freely available operating system. And as the world's largest software maker, Microsoft is also a common target of hackers and virus writers.

MyDoom launched its first wave of attacks from an estimated 50,000 or more infected computers that were turned on this weekend. It was enough to shut down the SCO Group's Web site. Microsoft was bracing itself Tuesday for the launch of similar, if fewer, denial-of-service attacks from MyDoom-B, which is set to run through the end of the month. The company even preemptively set up a back-up site just in case its main site is disabled. "We are doing everything we can to ensure that Microsoft properties remain fully available to our customers," says Stephen Toulouse, security program manager at the Microsoft Security Response Center.

That includes offering a $250,000 reward for information leading to the capture of whoever is behind the MyDoom attack--a reward SCO is offering as well. Microsoft has offered the quarter-million-dollar rewards only twice before, for those behind last year's MSBlast.A worm and Sobig virus. The offers are part of its new Anti-Virus Reward Program, launched late last fall with $5 million. Still, despite the rewards, and the FBI's participation in the investigation into the MyDoom worm, no suspect has yet been identified.

And Jeff Carlon, director of worldwide IT infrastructure at the SCO Group, predicts hundreds more attacks on his Web site through next Thursday, when the first worm expires. Through a statement, he said the company "has developed layers of contingency plans to communicate with our valued customers, resellers, developers, partners and shareholders." That includes directing customers to a new Web site (thescogroup.com) as its technicians work to bring the original site back online.

For the most part though, security experts say the worst may be over. The number of new MyDoom infections has dropped significantly in the past few days to about one-third the rate of reported infections happening a week ago, according to the anti-virus software firm Symantec. McAfee's Schmugar says the number of those computers cleaning out the virus is now higher than those reporting new infections.

But don't breathe too easy yet.

"Unfortunately, one thing you can predict is that you will see more medium to high threats like this coming through this year," says Vincent Weafer, senior director for Symantec Security Response. Home users and small businesses are particularly vulnerable.

"They remember and are diligent about updating their protection after an attack, but then they forget about it," says Weafer.

Schmugar agrees. "MyDoom has gotten press and that raises awareness for a period of time but it's hard to say how long that will last," he says. "We've learned that people are aware for some period of time and then it fades and they go back to--I don't want to say a false sense of security--but to their previous comfort level, perhaps. More people open an attachment they might not otherwise."

And that may be all it takes to unleash the next MyDoom.