An updated version of the MyDoom virus is responsible for a large DDOS (distributed denial of service) attack that took down major U.S. Web sites over the weekend and South Korean Web sites on Wednesday, according to Korean computer security company AhnLab.
When it was discovered in January 2004, MyDoom quickly became the fastest-spreading e-mail worm in Internet history. Once a PC was infected with MyDoom, it would harvest e-mail addresses and e-mails itself out repeatedly. Early variants of MyDoom were coded to conduct DDOS attacks against other Web sites within certain time periods.
The latest MyDoom variants seen by AhnLab also include a downloader that can bring other malicious code into the compromised PC, a feature also present in earlier versions of the malware. An additional file contains details of Web site to be attacked.
It lists 13 South Korean Web sites and 23 U.S. sites, according to a Korean blogger who analyzed the source code. Most of the sites on the list are those reported to have been attacked or are still under attack.
While U.S. sites experienced problems over the weekend, in South Korea the trouble began on Tuesday night. Throughout most of Wednesday many of the Web sites, which include several high-profile properties, were unavailable.
As of 6 p.m. local time (9 a.m. GMT) government sites inaccessible are the presidential Web site, the National Assembly and those of the Foreign Affairs and National Defense ministries. Also offline are the Grand National Party, U.S. Forces Korea and the electronic banking sites of Korea Exchange Bank, Shinhan Bank and NongHyup Bank.
Shortly before 6 p.m. two major commercial sites that had been unavailable for most of the day, the Chosun Ilbo national daily and Internet Auction, reappeared. Only two of the 13 Korean sites listed had been available for most of the day: the e-mail and blog sites of major portal Naver.
AhnLab said the code has been written so its possible for the attackers to change the list of sites targeted.