With the MyDoom/Novarg worm whipping around the Internet at a pace said to be record-breaking, its target is hitting back with a bounty offer – a $250,000 reward for information that helps arrest and convict the worm's creators.
SCO Group announced the bounty late Jan. 27, over a full day after MyDoom first hit the Net, spreading mostly around North America. The worm is programmed to launch a mass Feb. 1 attack, through infected surrogate computers, against SCO.
SCO has born several denial of service attacks in previous months, sometimes blaming Linux sympathizers or backers for those attacks. This time, the company seems to be careful not to accuse Linux sympathizers or backers explicitly over the MyDoom epidemic. "During the past ten months SCO has been the target of several DDOS attacks… The perpetrator of this virus is attacking SCO, but hurting many others at the same time," SCO chief executive officer Darl McBride said in an official statement.
"This [attack] is different and much more troubling, since it harms not just our company, but also damages the systems and productivity of a large number of other companies and organizations around the world," McBride said. "We do not know the origins or reasons for this attack, although we have our suspicions. This is criminal activity and it must be stopped."
The company said they were now working with federal law enforcement, including the FBI and the Secret Service, encouraging anyone with information to contact the FBI.
Symantec, the makers of Norton Anti-Virus and Norton SystemWorks, said MyDoom is programmed to launch an attack from infected computers that will begin Feb. 1 and continue as late as Feb. 12. The worm has been spreading almost entirely through computers using Microsoft Windows 95, 98, 2000, NT, and XP systems.
MyDoom/Novarg arrives in an e-mail with a subject line of "test" or "status" and containing an attachment of an .exe, .bat, .cmd, .pif, .scr, or .zip. Other random subject lines the e-mail might use include "Mail Delivery System" or "Mail Transaction Failed." Some such messages also contain as a body text, "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
MyDoom doesn't exploit Windows flaws but tries to lure the recipient into opening the attachments and run programs in the attachment, Symantec said. "This is something you might see from a mail system, so you click on the attachment," senior director Sharon Ruckman told reporters. “This one is almost begging you to click on the attachment.”
From there, the worm mails itself to addresses in the victim's computer. The spread is so rapid and massive that Symantec upgraded the threat level from Category 3 to Category 4 within just a few hours because of the speed and volume of its spread, the company said. But users who simply delete the incoming e-mail, without even bothering about the attachment, will avoid damage, the company added.
