A back door to computer systems opened by the Mydoom email worm is turning into a bonanza for thousands of hackers, who are scanning the Internet furiously for systems infected by Mydoom.
The opening in the defences of infected computers could allow malicious hackers to secretly install a Trojan horse program, key-logging software or simply peruse files on infected systems, and may make cleanup after Mydoom difficult.
Mydoom, which first appeared on Monday, is still spreading on the Internet and is believed to have infected between 100,000 and 300,000 systems worldwide, according to Craig Schmugar, virus research manager at the McAfee antivirus division of Network Associates (NAI).
"Mydoom is still going strong, we're not seeing any signs of it slowing down," he said.
One large corporate customer reported receiving 160,000 Mydoom-infected emails an hour on Wednesday, Schmugar said.
McAfee researchers and those at other antivirus companies have also spotted another Mydoom trend: thousands of computers scanning for a range of Transmission Control Protocol (TCP) ports opened by the worm.
Those open ports, which ranged between number 3127 and 3198, were open doors for malicious hackers,senior manager of Symantec Security Response at Symantec, Oliver Friedrichs, said.
Attackers just have to connect to the open port and upload spyware or other malicious programs, he said.
"This could mean there are a bunch of attackers out there looking for machines to compromise," NAI's Schmugar said. Symantec counted 2100 unique systems scanning for the Mydoom back door on Wednesday, Friedrichs said.
NAI put the number at 2500 systems and said that uptos 7,500 infected systems mighty have been targeted since late Tuesday, when researchers first noticed the behavior, Schmugar said.
Removing Mydoom would close the backdoor, removing the threat, Friedrichs said.
However, if a malicious hacker gets to an infected system first, clean-up is more complicated, according to experts. Many antivirus programs could spot common Trojan horse and keylogging software, but might not detect every program, Friedrichs said.
Owners of infected systems would need specialised software that just looks for such programs, he said.
"This could turn into a big mess," he said.
While that is possible, most Internet users would be well-served with an up-to-date antivirus package and an Internet firewall, which can spot Trojan activity on an infected system, independent computer security consultant, Richard Smith, said.
Some of the scanning might also come from system administrators who were trying to spot infected machines so they could disinfect them, Schmugar said.
The Internet community should be more worried about the hundreds of thousands of Mydoom-infected computers that were now at the beck and call of the Mydoom author, Smith said.
"Anything more than 50,000 systems is scary," he said. "The author knows where the systems are and he can easily upload software to them."
The Mydoom-B variant that appeared Wednesday included features for cutting off access to antivirus websites and may be an effort to further groom the population of infected machines, he said
A zombie network that large could be used to distribute spam, viruses or Internet scams, he said.
"Whoever is behind [Mydoom] could cause a lot of mischief," he said.