Antivirus software companies are warning e-mail users about a new version of the MyDoom e-mail worm, dubbed MyDoom.O, which is spreading on the Internet and causing slowdowns at search engines, including those run by Lycos Inc. and Google Inc.
Leading antivirus software companies issued alerts for MyDoom.O, which was first detected Monday and arrives in e-mail message attachments that, when open, install the virus and open a back door that remote attackers can use to access infected machines. While similar to other versions of MyDoom, the O-variant is testing a new approach: using major search engines to harvest e-mail addresses on Web domains that it discovers, slowing those sites, according to Johannes Ullrich, chief technology officer at The SANS Institute’s Internet Storm Center.
“The standard scheme is for viruses to look (for e-mail addresses) in the Web cache,” he said, referring to the store of previously visited Web pages stored on computer hard drives. But if MyDoom.O finds an e-mail address, in addition to sending a copy of itself to the address, it also does a Web search on the Web domain and uses the search results to discover more addresses in that domain, according to Ullrich.
The worm targets Google, Yahoo, Lycos. The AltaVista search engine owned by Overture Services, Inc. is also a target, according to a statement from Computer Associates International, Inc. The Lycos search engine could not be reached as this story was filed.
A spokesperson for Google acknowledged Monday that visitors experienced slowness for a short period of time that the company believes was related to the MyDoom worm. The spokesperson could not say whether some users were still experiencing slow response at Google.com, but said that the Google Web site was not “significantly impaired” by the attacks. Technical staff at the company are investigating the slowdowns and expect to have service restored for all users shortly, he said.
Yahoo said it noticed the effect of the virus on Yahoo search as result of ongoing surveillance early Monday and implemented “back-up procedures” to compensate for the increased traffic. The company said there was “minimal latency” in its site Monday morning, but that traffic and systems were running “normally” late Monday, according to Stephanie Ichinose, a Yahoo spokesperson.
McAfee Inc. rated the new MyDoom version a “medium” threat, citing a large number of virus samples received by the company. Symantec Corp. ranked MyDoom.O, which it labeled MyDoom.M, a “moderate” threat, indicating a “potentially dangerous” threat to the Internet.
Symantec later updated its threat rating on the new MyDoom variant to a “severe” threat, indicating a dangerous virus or worm that is difficult to contain. The company cited increased prevalence of the new worm on the Internet as a reason for increasing the severity of its warning, according to information provided by the company.
Like previous versions of MyDoom, MyDoom.O arrives in e-mail addresses sent from faked (or “spoofed”) e-mail addresses and with vague subjects such as “hello,” “error,” and “status.”
The worm uses a number of different ruses to fool e-mail recipients into opening the infected e-mail attachment. Among other things, the virus poses as an administrative message from the user’s e-mail server and, ironically, as directions to remove a virus, said Joe Telafici, director of operations for McAfee’s Antivirus Emergency Response Team (AVERT).
Like other mass-mailing worms, MyDoom.O avoids sending messages to antivirus company domains such as Sophos (PLC) and Trend (Micro Inc.) It also tries to skirt large Web e-mail providers by not sending e-mail to the Hotmail, Yahoo and Google domains, among others, according to antivirus companies.
The worm uses standard search syntax to look for e-mail addresses, which could make it difficult for search engines to separate MyDoom-generated traffic from other Internet queries, Ullrich said.
Ullrich estimated that “a couple hundred thousand machines” may be infected with MyDoom.O. Those machines can generate huge volumes of search requests, which appear to be bogging down major search engines.
Though MyDoom.O is the fifteenth version of a worm that first appeared in January, and in most ways similar to the variants that came before it, the new techniques used by the latest variant — including its use of Web search engines to harvest e-mail addresses — may be paying off and encouraging the spread of the O version, said Sam Curry, vice-president of eTrust Security Management at CA.
In addition to the Web searching, MyDoom.O also has improved features for spreading between computers connected over a peer to peer (P-to-P) network and in the message body, which uses “social engineering” tricks to lure recipients into clicking on the virus file, he said.
“It’s one of those things where the whole is greater than the sum of its parts,” Curry said. “There’s nothing here radically new, but there are some small incremental improvements that are leading to drastic improvements in the worm’s ability to spread.”
McAfee received about 40 MyDoom.O virus samples per hour since first identifying the new variant at around 6:30 a.m. Pacific Time, Telafici said. That’s a more sustained rate than recent outbreaks like Bagle.AF, which died out quickly after first appearing. Some antivirus researchers attribute such spikes to virus “seedings” that use compromised machines, or “zombies,” to distribute virus-infected e-mail to millions of machines simultaneously.
CA also upgraded its warnings about the worm to “medium” on Monday. The company said it received more than 1,000 samples of the virus from customers since identifying the worm early Monday.
The fact that MyDoom.O submissions have remained high may be evidence that the virus is spreading and generating its own mail traffic, Telafici said.
At Boston College in Chestnut Hill, Mass., network administrators saw a spike in MyDoom.O e-mails between 7:00 a.m. and 10:00 a.m. Eastern Time, but the virus-generated e-mail dropped off sharply after antivirus companies, including McAfee and Sophos PLC, released virus definition updates to detect MyDoom.O, said David Escalante, director of computer security at the college.
Web performance measurement company Keynote Systems Inc. said that it noticed a decrease in the responsiveness of 40 major Web sites that it manages, beginning at around 7:00 AM Pacific Time on Monday, said Dan Berkowitz, director of corporate communications at Keynote.
The reliability measurement of the “Keynote Business 40,” an index of large and highly trafficked Web sites, decreased by around 1.5 per cent to 95.5 per cent Monday morning, which experts at the company believe is due to the MyDoom worm, Berkowitz said.
Keynote, of San Mateo, Calif., was still analyzing the slowdowns Monday, but said that it noticed more pronounced slowdowns in search features offered by the 40 Web sites during the same period, and that it measured slowdowns at the four search engines targeted by MyDoom.O, he said.
Antivirus companies advised customers to update their virus definitions to detect the MyDoom.O worm.