Rampant E-Mail Virus Traced to Russia

Friday, Jan. 30, 2004

By Simon Ostrovsky Staff Writer

"MyDoom, the fastest-proliferating computer virus ever, has been traced to Russia.

Using location-sensing software, Kaspersky Labs has traced the first e-mails infected with MyDoom back to addresses with Russian Internet providers.

"It's scary, but most serious viruses are written in Russia," said Denis Zenkov, spokesman for Kaspersky, the country's largest anti-virus software company.

Ever since it first appeared Monday night, the virus has managed to latch onto every 12th e-mail sent, slowing down Internet traffic around the world.

"This virus can only be compared to chemical warfare, an indiscriminate weapon of mass destruction," said Mikhail Yakushev, a legal adviser for Microsoft in Russia.

MyDoom breaks a previous record set by the Sobig worm, which infected one in every 21 messages at its peak last summer.

Most disturbing is that the virus gives its creators -- or anyone who cracks the virus's code -- the power to take control of an infected PC.

The virus has already infected 600,000 to 700,000 computers around the globe, Kaspersky Labs estimates.

And it has caused some $2 billion in losses worldwide, according to Computer Economics, an Internet monitoring company.

Thirteen percent of infected computers are in the United States, compared to a figure of under 1 percent for Russia, according to Kaspersky Labs.

"Russia usually does better fighting e-mail viruses than the United States because systems administrators are generally more competent here and install protection quicker," Zenkov said.

Russia might be better prepared, but then it is often the source of server-stomping viruses, as in the case of MyDoom.

"We don't understand why, because usually programmers write viruses during an economic downturn when there is no work and nothing else to do," Zenkov said. "Right now there is plenty of work for Russian programmers."

The cause of damage is not primarily the virus's ability to take control of an infected computer and change information stored on the hard drive.

Instead, the virus wreaks havoc by sending itself to all the addresses stored inside an infected PC, exponentially increasing e-mail traffic and overloading web servers.

MyDoom spreads as an attachment to e-mails or as a file on the KaZaA file sharing system. It uses a multitude of file names, subject lines and file extensions, making it difficult to notice.

When the infected attachment is opened, the virus automatically installs files in the computer's system, making it possible to use the computer as a proxy server for sending out future versions of the file and to take control of the computer itself.

"If the virus's creators don't send out an updated version of the virus it will be under control in the next few days," Zenkov said.

MyDoom is not the only virus traced to Russia. Dumaru and Mimail have also betrayed Russian origins.

But MyDoom has been the most problematic. One Utah-based software company, SCO, has gone so far as to offer $250,000 for any information leading to the arrest of the virus programmers.

SCO's web address is specifically targeted by MyDoom. The virus is encoded to bombard SCO's web site with requests every 50 milliseconds starting Feb. 1. Such a huge volume of requests is almost certain to crash the company's server, causing huge financial losses.

SCO has branded MyDoom as "criminal activity that must be stopped." In a statement on the company's web site, president and CEO Darl McBride said "we have our suspicions" as to the perpetrators. He did not elaborate.

SCO is one of the most ardent opponents of the open source code movement, which calls for software companies to make their programming code available to the public.

If convicted of creating or distributing harmful computer programs, hackers face up to seven years imprisonment under Russian law, according to Microsoft's Yakushev. The Federal Security Service said it was not able to confirm immediately if a criminal investigation had been opened into the MyDoom case.

If it has, the FSB shouldn't look for some teen computer whiz. "Its creators are skilled professionals," Zenkov said."

• Message to the Linux and Free Software Community Regarding the SCO Denial-of-Service Virus
• "MyDoom vs SCO" Begins...Or Does It?
• MyDoom - SCO/Microsoft Update
• Is Your TCP Port 3127 Open? Then Watch Out for "MyDoom.C"

• Groklaw: Experts Say MyDoom "Definitely Has Ties to Spammers"