MyDoom and the art of misdirection

While we appear to be over the hump in MyDoom infections, the worm's after-effects could be felt by many for some to come.

SCO has worked around the distributed denial of service attack and for Microsoft it was pretty much business as usual.

But the worm's secondary payload has been busy on hundreds of thousands of computers and will be passing back information for a while yet, a key point that many have forgotten in the rush to deal with the outbreak.

Because misdirection is what MyDoom is all about.

First, the worm was designed to spread as widely as possible without causing enough traffic to slow servers and limit its reach. It was very successful, infecting about 500,000 systems.

Second, worms triggering denial of service attacks have been around since 2001 and Code Red. They need to spread quickly, because once the target is identified the website has time to protect itself. MyDoom also went through everything from Windows 95 and up, over three quarters of the world's computers.

The target was high profile. SCO has laid claim to some of the holy scriptures of the open source movement and its website has been up and down like the Assyrian Empire since it started its legal fight.

The second payload, the all important keystroke logger, has been very busy. Much of this information will be useless and we won't be hearing many stories of e-commerce devotees being wiped out in an instant.

But what if there are lots of small withdrawals or transfers, a few more online auction frauds run by people using false identities?

Even the name is not quite what it seems. 'MyDoom' is a wonderful name and helped the world's media pick up on the virus. But it could so easily have been called 'Novarg.A'.

A constant theme in complaints from readers is that antivirus companies assign different names to the same virus. Here's how it usually works.

Antivirus firms are sent large numbers of viruses. Not all amateur virus writers are intent on wreaking global havoc: on PCs across the world law-abiding enthusiasts are designing ever more intricate ways to make dynamic code, and sending it in for classification.

Most of these aren't original but a few are new and potentially dangerous. When vulnerabilities are published things move up a notch and antivirus labs watch for an exploit to be published, then wait for the malware. Once they find it they pick a name, usually based on something in the code.

When Symantec and Kaspersky discovered the worm known as MyDoom they called it Novarg.A. But everyone else went for the sexier name and a panic was born.

So check your online accounts, change your passwords and make a virus signature update part of a daily or weekly routine.