Microsoft is suffering another Mydoom attack

These variants of the original bug are making their way around the net using Windows machines still infected by Mydoom.

The more widespread variant, called Doomjuice, launches a denial of service attack on the Microsoft.com website.

The other variant, dubbed Deadhat, uninstalls other versions of Mydoom it finds and then tries to cripple a PC's anti-virus protection.

Attack damage

Unlike the original Mydoom.A virus, neither Doomjuice or Deadhat travel via e-mail.

Instead, both randomly scan net addresses and upload themselves to any infected machines they find.

They can spread this way because Mydoom opened up backdoors on infected machines to allow the creator of the virus to remotely control any compromised PC.

So far anti-virus firms report that Doomjuice is having more success in spreading to the 75,000 or so machines still thought to be infected with Mydoom.A.

At its peak Mydoom.A was believed to have infected about a million Windows PCs.

Security firms suspect that Doomjuice was written by the author of the original Mydoom.A virus as it loads a copy of the bug's source code on machines it manages to find.

According to anti-virus firm F-Secure, this tactic is to hinder investigations.

"Before the Doomjuice incident, only the authors of Mydoom.A had the original source code," said Mikko Hypponen, director of anti-virus research at F-Secure, "now probably tens of thousands of people have it on their hard drive, without knowing it."

Once this is done the virus launches an attack on the Microsoft.com website by repeatedly trying to load the site's front page.

Big hitter

According to net monitoring firm Netcraft this attack may have been responsible for disrupting the smooth running of the Microsoft website on Monday morning when it was temporarily unavailable.

If Doomjuice is responsible for this outage, then it has been more successful than the Mydoom.B variant which did not spread widely and caused Microsoft little trouble.

In preparation for these attacks Microsoft has created a mirror of its site in case the main domain is overwhelmed. It has also changed a key property of the site in case it quickly has to move to a new address.

In contrast to this success the Deadhat virus is not thought to be widespread.

If this virus finds an infected machine it removes any copies of Mydoom.A and Mydoom.B that are resident, installs itself and then attempts to stop the computer running anti-virus software or getting updates to protect itself against future infections.

According to statistics gathered by mail filtering firm MessageLabs, Mydoom.A has now become the most active virus of all time.

In the 16 days since it first appeared the company has caught more than 38m copies of it.