Quote:What is interesting though is that sco.com and www.caldera.com are also unavailable. They shared the same IP with www.sco.com. SCO should have been able to keep these sites available by moving them to otcher machines and assigning them separate IP adresses, shouldn't they ?
As I understand it, MyDoom has the IP hardcoded, so all the sites at that IP would be affected. Also, it looks like the malware only pings www.sco.com once to test connectivity, rather than issuing a flood. I could be wrong on that, though; I'll need to check some other (less partisan) sources.
From Symantec's site:
Quote:Checks the system date, and if the date is between February 1, 2004 and February 12, 2004, there is a 25% chance the worm will perform a DoS attack against www.sco.com. The DoS is performed by creating 63 new threads that send GET requests and use a direct connection to port 80. The worm will not mass mail itself if the DoS attack is triggered.
Notes:
The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack.
Due to the way the worm verifies the system date, the DoS will only be executed on 25% of infected computers.
The DoS will only occur when the system date is checked during the initial infection, or if the computer is restarted.
The worm will use local DNS settings to resolve the domain name used in the DoS attack (www.sco.com).
Apparently, MyDoomA will attempt to resolve www.sco.com, so I have no idea why SCO would drop the other domain names unless it's to garner sympathy, or out of ignorance.
Edit: added info from Symantec.