IE 11 is not supported. For an optimal experience visit our site on another browser.

Third version of Mydoom has a surprise

A third version of the Mydoom virus now circulating isn't a direct threat to anyone not already infected, but it's also leaving copies of its source code everywhere -- and that has virus researchers worried.

A third version of the Mydoom virus was found by a virus researcher over the weekend, but this one only threatens computers already infected by the first Mydoom.

The new virus -- also being called "Doomjuice" by researchers -- doesn't spread via e-mail, so Internet users are unlikely to encounter it. It only attacks machines already infected with Mydoom, via the backdoor left by the original worm, said Joe Stewart of Lurhq Corp., who found the new worm on Sunday.

Stewart said consumers had little to fear from the new worm. "In terms of getting this on your system, you don't have to worry about it unless you are already infected, in which case, you already have problems," Stewart said.

Nevertheless, it is spreading, worming its way around the Internet in the background, said Vincent Gullotto, virus researcher with Network Associates Inc. He believes some 50,000 to 100,000 computers are still infected by the original MyDoom, and will likely be found and infected by the new Mydoom in the next week or two. He said the firm has trapped 10 copies of Mydoom.C on computers designed to catch new worms, but no customers had reported infections.

The new worm no longer attempts to attack The SCO Group, as the first two variations of the worm did, but instead focuses all its energy on attacking Unlike its predecessors, the new Mydoom's denial of service attack is not set to expire. 

Leaves behind source code
But the worm has a characteristic that disturbs virus researchers. With each infection, the new worm places a copy of the original Mydoom source code on the infected machine's hard drive. Researchers can only speculate on the reason -- perhaps to obfuscate the trail of researchers trying to hunt down the author, according to Mikko Hypponen at F-Secure Corp.

"The authors know the police [are] looking for them. And the best evidence against them would be the possession of the original source code of the virus," Hypponen said. "Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive — without knowing it."

Whatever the motivation, the ready availability of the virus source code -- which had been unavailable to this point -- is certain to encourage copycats to create additional variants of the worm, Gullotto said.

"We'll see more variants, it's all but certain now," he said.

Because of the similarity in programming styles, Stewart said he was convinced Mydoom.C was written by the same person or same group of programmers that authored the original.

"This could possibly be the end of his or her spreading of it," Stewart said. "He's almost saying, 'Hey, I'm done with this. Someone else run with it.' You don't find virus authors sharing their source code."