UK security experts have pooh-poohed the claim that the Mydoom virus would cost $250 million. US analysts thought that would be the cost of the Mydoom outbreak, but experts this side of the pond reckon the total cost will be a lot less, since the virus was actually less severe than last summer's MS Blast virus.
As a bonus, European users will get off even lighter, since we have better security preparations, says a European expert. "For sure, this worm is a severe one, but MS Blast was way more severe for the structure of the Internet," said Raimund Genes, president, EMEA, of anti-virus company Trend Micro. "This worm did not infect as many machines as the MS Blast worm and probably won't cost as much to repair."
In the US media, John Pescatore, president of Internet security at analysts Gartner Group, has been widely quoted as saying that Mydoom would cost $250 million, including lost productivity. "The real cost is going back and cleaning computers," said Pescatore, who put the cost of last year's SoBig worm (similar to MS Blast) at $50 million.
"I would disagree with this," said Genes. Mydoom looked bad because it generated a lot of traffic from comparatively few infected hosts, he said. "One infected system can send out 200 emails per minute," he said. "One site had filters which stopped 4570 copies of the virus, but they came from only 26 infected machines."
Although it is too early to tell how many machines were infected, or what the total cost is, it would not be greater than the other viruses, said Genes. The number of machines infected is likely to be less than the 100,00 which MS Blast hit. While everyone else got hot under the collar, Trend Micro only rated Mydoom as a medium risk virus.
"Mydoom had less impact in Europe, because in general Europe is more security aware," said Genes, crediting European data protection legislation. "As a public company in Europe you are personally responsible if you have no counter measures against this."
This view was endorsed by one user whom Techworld spoke to. Andy Reid, IT director at Eton College, said that his users were well trained. "We forcibly and repeatedly educate our users not to open unknown attachments without verifying their contents first with the sender. In the event of such attacks we circulate messages notifying users of any side-effects, such as unexpected warning messages in cases where sender email addresses have been spoofed."
He said that the college's defences had worked perfectly. "Our mail relays were trapping Mydoom attachments several hours before the IDE patches were released," he said.
Genes said that the timing also helped European users, as the virus was launched in the evening, European time, and the morning US time. Many Europeans were already protected by a virus signature by the time they started work on Tuesday morning. "Most of the European victims I saw were subsidiaries of US companies," said Genes.
Some companies are still infected however, said Genes, probably because they do not realise that viruses such as MS Blast and Mydoom contain their own SMTP e-mail engine, and will not leave traces in the Sent Items folders of their victims.
This is serious, because Mydoom leaves open ports which opportunistic hackers can attack. Both Microsoft and SCO have offered rewards for the Mydoom writers' scalps.
One feature of Mydoom that increased traffic - and confusion - was its ability to spoof the return address on e-mails. Some anti-virus programs automatically send a notification back to the source of a mailed virus but, in this case, these messages were sent to innocent third parties, causing many of them to phone helpdesks. "It is useful to have an anti-virus product where that function can be turned off," said another Trend Micro spokesperson.