Zindos capitalizes on MyDoom.O infections
- 30 July, 2004 07:07
Antivirus companies have issued warnings and software updates for a new Internet worm, dubbed Zindos, that infects machines already compromised by the MyDoom.O worm, which appeared on Monday, and launches an attack on the Microsoft (MS) website.
Zindos.A takes advantage of an open back door in Windows machines that contracted the MyDoom.O worm. While the worm has not knocked Microsoft's website offline and is not considered a serious threat by most antivirus vendors, the ease with which it spread raises troubling questions about the ability of virus authors to control and plant malicious programs on machines infected by their creations, senior technology consultant at antivirus company, Sophos, Graham Cluley, said.
The Zindos worm spreads through Transmission Control Protocol (TCP) port 1034, which was opened by a Trojan horse program called Zincite that MyDoom.O deposited on Windows machines it infected, according to antivirus company Symantec.
MyDoom.O, referred to by some antivirus companies as MyDoom.M, is the 15th variant of the original MyDoom worm, which ravaged the Internet in January.
Zindos can infect Windows machines without any interaction from the computer user, modifying the configuration of Windows so that the worm is started along with the Windows operating system.
Once installed, Zindos began searching for other MyDoom-infected machines to send copies of itself to, Symantec said.
Zindos has not infected many of Sophos' corporate customers, which were also spared the worst of MyDoom.O. However, the worm might be causing more problems among home users with broadband Internet connections who lacked firewall or antivirus software, Cluley said.
Sophos experts think that the MyDoom author created Zindos and that the follow-on infection might have been planned all along, Cluley said.
"There are similarities in the code," he said. "And, the way MyDoom opened the back door on computers, other viruses would have to know the right password to be able to use it -- it's like knowing the right knock on the door to get into the private casino."
The MyDoom author had shown hostility to Microsoft in the past, Cluley said.
MyDoom.B, the worm's second version, also contained a preprogrammed denial of service attack against MS.
The Zindos worm also indicates the thriving interest among virus writers in building armies of compromised computers, or 'bots, which can be used to launch attacks or sold to others for spam distribution or other nefarious purposes, Cluley said.
"Owning a large network of zombie computers is a very powerful and rather valuable resource to have," he said.
Antivirus companies advised customers to update their antivirus software to obtain signatures that can spot Zindos, but only customers who had been hit by the latest MyDoom worm need be concerned about this new worm, Cluley said.
Those affected by that worm should remove it from their computer and install antivirus software and a firewall to keep from being victimised by Zindos, too, he said.