MyDoom.0 Hammers Search Sites

Antivirus software companies are warning e-mail users about a new version of the MyDoom e-mail worm, dubbed MyDoom.O, which is spreading on the Internet and slowing search engines, notably Lycos and Google.

Leading antivirus software companies advise customers to update their virus definitions to detect the MyDoom.O worm, which arrives in e-mail message attachments. When opened, the attachments install the virus and open a back door that remote attackers can use to access infected machines. While similar to other versions of MyDoom, the O-variant tests a new approach: It uses major search engines to harvest e-mail addresses on Web domains it discovers, slowing those sites, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.

"The standard scheme is for viruses to look [for e-mail addresses] in the Web cache," he says, referring to the store of previously visited Web pages stored on computer hard drives. But if MyDoom.O finds an e-mail address, besides sending a copy of itself to the address, it does a Web search on the Web domain to find more addresses in that domain, according to Ullrich.

Some security firms have expressed concern that the data gathered by search engines is a resource for clever worms.

Hammering Search Sites

Ullrich estimates "a couple hundred thousand machines" may be infected with MyDoom.O since its discovery Monday morning. Those machines can generate huge volumes of search requests, which appear to be bogging down major search engines.

The worm apparently targets Google, Yahoo, Lycos, and Alta Vista, say researchers at Computer Associates.

A Google spokesperson acknowledged Monday afternoon that visitors experienced slowness for a short period of time that the company believes was related to the MyDoom worm. The Google site was not "significantly impaired" by the attacks, according to the spokespeson, who added that tchnical staff are investigating the slowdowns and expect to have service restored for all users shortly.

A Yahoo representative says personnel at the search site noticed the effect of the virus on Yahoo search during their ongoing surveillance early Monday, and implemented "backup procedures" to compensate for the increased traffic. The company experienced "minimal latency" in its site Monday, and traffic and systems were running normally by the afternoon, according to Stephanie Ichinose, a Yahoo spokesperson.

McAfee rates the new MyDoom version a "medium" threat, citing a large number of virus samples received by the company. Symantec initially ranked MyDoom.O, which it labels MyDoom.M, a "moderate" threat, indicating a "potentially dangerous" threat to the Internet. The antivirus company later upgraded the rating to Level four (of five), citing an increase in corporate reports of infections. Computer Associates also upgraded its warnings to "medium" on Monday, based on the volume of samples received from customers.

Like previous versions of MyDoom, MyDoom.O arrives in e-mail addresses sent from faked (or "spoofed") e-mail addresses and with vague subjects such as "hello," "error," and "status."

The worm uses a number of different ruses to fool e-mail recipients into opening the infected e-mail attachment. Among other things, the virus poses as an administrative message from the user's e-mail server and, ironically, as directions to remove a virus, says Joe Telafici, director of operations for McAfee's Antivirus Emergency Response Team.

New Tactics

Like other mass-mailing worms, MyDoom.O avoids sending messages to antivirus company domains. It also tries to skirt large Web e-mail providers by not sending e-mail to the Hotmail, Yahoo, and Google domains, among others, according to antivirus companies.

Though MyDoom.0 is the fifteenth version of a worm that first appeared in January, and in most ways resembles its predecessors, the new techniques used by this variant--harvesting e-mail addresses via search engines--may be paying off and encouraging the spread of the O version, says Sam Curry, vice president of eTrust Security Management at Computer Associates.

Besides its Web searching, MyDoom.O also spreads more efficiently among computers connected over a peer-to-peer network, he says.

"It's one of those things where the whole is greater than the sum of its parts," Curry says. "There's nothing radically new, but there are some small incremental improvements that are leading to drastic improvements in the worm's ability to spread."

Spreading Quickly

McAfee received about 40 MyDoom.O virus samples per hour since first identifying the new variant at around 6:30 a.m. Pacific Time, Telafici says. That's a more sustained rate than recent outbreaks like Bagle.AF, which died out quickly after first appearing.

Some antivirus researchers attribute such spikes to virus "seedings" that use compromised machines, or "zombies," to distribute virus-infected e-mail to millions of machines simultaneously.

The fact that MyDoom.O submissions have remained high may be evidence that the virus is spreading and generating its own mail traffic, Telafici says.

Web performance measurement company Keynote Systems reports a decrease in the responsiveness of 40 major Web sites that it manages, beginning at around 7 a.m. Pacific Time on Monday, says Dan Berkowitz, director of corporate communications at Keynote.

The reliability measurement of the "Keynote Business 40," an index of large and highly trafficked Web sites, decreased by around 1.5 percent to 95.5 percent Monday morning, which experts at the company believe is due to the MyDoom worm, Berkowitz adds.

Subscribe to the Security Watch Newsletter

Comments