The new version, variously dubbed MyDoom.M or MyDoom.O, was first detected early Monday morning and quickly went on a tear, flooding many mailboxes with hundreds of messages. It has also slowed, Yahoo, AltaVista and Lycos to a crawl, because once it infects a PC, the virus automatically performs Web searches on those search engines.
CNET Reviews on
prevention and cure
E-mail screening company MessageLabs said it had intercepted more than 23,000 copies of the variants in the first five hours of their existence. McAfee Avert, the virus-tracking squad at the antivirus software maker, rated the worm a "medium on watch," or right below a high-risk vulnerability. Tens of thousands of PCs have been infected by the worm, which was first detected just before 6 a.m. PDT. The biggest impact, however, has been on the search engines.
Google, Lycos and AltaVista have been sporadically out of service all morning, while Yahoo has been slow. That's a function of how the worm spreads, said Craig Schmugar, a virus researcher at McAfee. Once installed, the virus searches for e-mail addresses on the host computer's hard drive, and then it looks for more by running queries on all four search engines.
Google, other engines
"It is kind of an inadvertent (denial-of-service) attack," he said, because the search sites are being knocked out in the quest for more e-mail addresses. This is a twist on MyDoom: Earlier variants looked for e-mail addresses only on the host hard drive.
The worm uses the search sites to find any published e-mail addresses with the same domain name as the main e-mail address on the infected computer, said Vincent Weafer, senior director for security company Symantec's security response center. If you're infected, and your main e-mail address ends with @mycompany.com, for example, the worm will mainly attempt to propagate itself to other mycompany.com addresses.
Keeping infections in-house may also be a technological advantage, Weafer said. "We've seen from other viruses that if you propagate on the local network, it's just faster," he said.
Among other antivirus firms, McAfee explains one way to remove the virus from an infected computer.
Security experts said the new variants first surfaced in Europe and spread quickly, thanks to several factors. Messages sent by the variants pose as either a "returned mail" message from a postmaster or an alert from an internal IT administrator. Although the bounced mail spoofs weren't likely to prompt a second look, said Joe Telafici, director of operations McAfee, those posing as a corporate IT missive were realistic enough to fool some workers.
"It appears close enough to something your IT department might send you that it could fool some people," Telafici said.
The worm also delivers a mixed payload, with only a handful of messages going through with a .zip attachment, a recently popular technique used by virus writers to avoid corporate security systems. MyDoom.M mainly arrives as a simple executable program file, Telafici said, making it more damaging for anyone who gets fooled into opening a message. "It takes fewer steps to infect yourself, which is helping (the worm) spread," he said.
Individuals may not notice a huge performance hit on their own PCs if they are connected to broadband and have a computer that is only a few years old, Schmugar said. The queries are fairly low-impact events. However, only a few medium-on-watch risks come up a year, he said, and the search engines are feeling the pinch.
Thesurfaced early this year and quickly ranked as . The original worm has since spawned numerous offshoots, including one specifically programmed to .
Marty Lindner, senior member of the technical staff at the Computer Emergency Response Team (CERT) at Carnegie Mellon University, added that the virus also comes with a back door that potentially enables a hacker to take control of an infected system. Several worms open back doors and harvest e-mail addresses. The novelty of this latest variant is that it appears to be able to launch queries. Linder, however, stated that CERT has not fully confirmed the query function as yet.