MyDoom Targets RIAA

Gretchen Gallen
SILICON VALLEY – There is no question at this point that the creator of the MyDoom virus has a very anti-establishment, counter-culture viewpoint when it comes to using innocent computer users as tools to wreak havoc on some of the largest corporations in the world, security experts are saying.

So far the deadly email virus that functions as a detonator for specific websites has targeted the SCO Group, a politically unpopular organization because of its recent patent claims against developers of Linux operating systems; Microsoft Corp, which is perceived by many as being a ruthless money maker; and now the Recording Industry Association of America (RIAA), despised by many computer users for enforcing its copyright claims against file-sharers.

The RIAA is currently in litigation against 531 individuals accused of uploading music files to file-sharing services.

Security experts announced Wednesday that MyDoom.F is the newest variant in the chain of viruses that started in January as MyDoom.A and infected up to one million computers worldwide in just two days.

Similar to its predecessors, MyDoom.F is programmed to use infected computers like automatons and wage an attack on the RIAA with intent to overwhelm the system and shut it down.

"It's still getting around, and it's destructive," a security expert said. "We're worried. The longer people keep their PCs on, the more files they risk losing. This worm keeps going back to attack again and again."

The new and destructive element that MyDoom.F comes equipped with is an uncanny ability to randomly delete Microsoft Word and Excel files, databases, and photo files. According to experts, it is rare to see a computer virus actually destroy files.

According to security experts Sophos, MyDoom.F searches for and deletes 40 percent of files with extensions of AVI, BMP, DOC, JPG, MDB, SAV and XLS. Unlike earlier variants of the MyDoom worm, this version does not have a "suicide date" at which point it stops spreading. The virus also appears to have been signed by its author in the following manner:

".-==I am "Irony", made by jxq7==-."

So far MyDoom.F has not been successful in its attempt to disable the RIAA's website, but traffic has been slowed, experts say.

The virus is also programmed to take another strike at Microsoft Corp., which it previously attempted to shut down after a prolonged, and some say indefinite denial-of-service attack a few weeks ago.

And while security experts are saying that Mydoom.F is not as fast or as deadly as the variants that came before, it has already infected three percent of all email traffic worldwide, compared to 60 percent of all email that the first variant claimed.

Experts are warning users to steer clear of attachments and subject headers that say anything similar to: "Approved," or "Your Credit Card," or "You use illegal file-sharing." According to Sophos, there are dozens of potential email headers the virus might be traveling under.

Attached files containing the virus will have an extension of EXE, SCR, COM, PIF, BAT, CMD or ZIP.