That's because a week earlier, MyDoom had attacked a number of search engines for the same purpose--to gather addresses and propagate itself. However, after a detailed inspection of the code in the new mass-mailing worm, researchers have realized the worm is not a spin-off of MyDoom, but a new version of another worm called Evaman.
Mikko Hypp?nen, the director of antivirus research at security company F-Secure, said one antivirus company had named the worm MyDoom and other companies had followed its lead. But after further examination, researchers found the worm was not a MyDoom variant.
CNET Reviews on
prevention and cure
"It is a pretty confusing situation right now," Hypp?nen said. "There are similarities in the operation of the virus and in the code. Everybody used the same name until somebody really paid attention and noticed it should be part of the Evaman family. But we do think they are coming from the same source or parties close to each other."
David Emm, a senior technical consultant at Kaspersky Labs, explained that researchers follow certain guidelines when naming malicious software. Their first priority, however, is to produce a detection signature, not conduct a detailed analysis, he said. It then becomes difficult to rename the malicious software because that confuses everyone who's trying to defend their networks against a specific attack.
"When a new virus turns up, the researchers are keen to build detection for it. If you back-step from the original name, you have a problem where people say 'You used to detect this, and now you don't.' So it can be a bit of a nightmare for the outside world as well as for antivirus vendors," Emm said.
Hypp?nen agreed that changing the name was not a good idea, and he wasn't sure if F-secure would do so.
"We haven't changed the name yet. We might do, but are still calling it MyDoom for now," he said.
The close similarity between the worms strengthened researchers' conviction that both worm families are being developed by the same author or group of authors.
Munir Kotadia of ZDNet UK reported from London.