Leading antivirus software companies issued alerts for MyDoom.O, which was first detected Monday and arrives in e-mail message
attachments that, when open, install the virus and open a back door that remote attackers can use to access infected machines.
While similar to other versions of MyDoom, the O-variant is testing a new approach: using major search engines to harvest
e-mail addresses on Web domains that it discovers, slowing those sites, according to Johannes Ullrich, chief technology officer
at The SANS Institute's Internet Storm Center.
"The standard scheme is for viruses to look (for e-mail addresses) in the Web cache," he said, referring to the store of previously
visited Web pages stored on computer hard drives. But if MyDoom.O finds an e-mail address, in addition to sending a copy of
itself to the address, it also does a Web search on the Web domain and uses the search results to discover more addresses
in that domain, according to Ullrich.
The worm targets Google, Yahoo, Lycos. The AltaVista search engine owned by Overture Services, Inc. is also a target, according
to a statement from Computer Associates International, Inc. The Lycos search engine could not be reached as this story was
filed.
A spokesman for Google acknowledged Monday that visitors experienced slowness for a short period of time that the company
believes was related to the MyDoom worm. The spokesman could not say whether some users were still experiencing slow response
at Google.com, but said that the Google Web site was not "significantly impaired" by the attacks. Technical staff at the company
are investigating the slowdowns and expect to have service restored for all users shortly, he said.
Yahoo said it noticed the effect of the virus on Yahoo search as result of ongoing surveillance early Monday and implemented
"backup procedures" to compensate for the increased traffic. The company said there was "minimal latency" in its site Monday
morning, but that traffic and systems were running "normally" late Monday, according to Stephanie Ichinose, a Yahoo spokeswoman.
McAfee Inc. rated the new MyDoom version a "medium" threat, citing a large number of virus samples received by the company.
Symantec Corp. ranked MyDoom.O, which it labeled MyDoom.M, a "moderate" threat, indicating a "potentially dangerous" threat
to the Internet.
Symantec later updated its threat rating on the new MyDoom variant to a "severe" threat, indicating a dangerous virus or worm
that is difficult to contain. The company cited increased prevalence of the new worm on the Internet as a reason for increasing
the severity of its warning, according to information provided by the company.
Like previous versions of MyDoom, MyDoom.O arrives in e-mail addresses sent from faked (or "spoofed") e-mail addresses and
with vague subjects such as "hello," "error," and "status."
The worm uses a number of different ruses to fool e-mail recipients into opening the infected e-mail attachment. Among other
things, the virus poses as an administrative message from the user's e-mail server and, ironically, as directions to remove
a virus, said Joe Telafici, director of operations for McAfee's Antivirus Emergency Response Team (AVERT).
Like other mass-mailing worms, MyDoom.O avoids sending messages to antivirus company domains such as Sophos (PLC) and Trend
(Micro Inc.) It also tries to skirt large Web e-mail providers by not sending e-mail to the Hotmail, Yahoo and Google domains,
among others, according to antivirus companies.
The worm uses standard search syntax to look for e-mail addresses, which could make it difficult for search engines to separate
MyDoom-generated traffic from other Internet queries, Ullrich said.
Ullrich estimated that "a couple hundred thousand machines" may be infected with MyDoom.O. Those machines can generate huge
volumes of search requests, which appear to be bogging down major search engines.
Though MyDoom.O is the fifteenth version of a worm that first appeared in January, and in most ways similar to the variants
that came before it, the new techniques used by the latest variant -- including its use of Web search engines to harvest e-mail
addresses -- may be paying off and encouraging the spread of the O version, said Sam Curry, vice president of eTrust Security
Management at CA.
In addition to the Web searching, MyDoom.O also has improved features for spreading between computers connected over a peer
to peer (P-to-P) network and in the message body, which uses "social engineering" tricks to lure recipients into clicking
on the virus file, he said.
"It's one of those things where the whole is greater than the sum of its parts," Curry said. "There's nothing here radically
new, but there are some small incremental improvements that are leading to drastic improvements in the worm's ability to spread."
McAfee received about 40 MyDoom.O virus samples per hour since first identifying the new variant at around 6:30 a.m. Pacific
Time, Telafici said. That's a more sustained rate than recent outbreaks like Bagle.AF, which died out quickly after first
appearing. Some antivirus researchers attribute such spikes to virus "seedings" that use compromised machines, or "zombies,"
to distribute virus-infected e-mail to millions of machines simultaneously.
CA also upgraded its warnings about the worm to "medium" on Monday. The company said it received more than 1,000 samples of
the virus from customers since identifying the worm early Monday.
The fact that MyDoom.O submissions have remained high may be evidence that the virus is spreading and generating its own mail
traffic, Telafici said.
At Boston College in Chestnut Hill, Massachusetts, network administrators saw a spike in MyDoom.O e-mails between 7:00 a.m.
and 10:00 a.m. Eastern Time, but the virus-generated e-mail dropped off sharply after antivirus companies, including McAfee
and Sophos PLC, released virus definition updates to detect MyDoom.O, said David Escalante, director of computer security
at the college.
Web performance measurement company Keynote Systems Inc. said that it noticed a decrease in the responsiveness of 40 major
Web sites that it manages, beginning at around 7:00 AM Pacific Time on Monday, said Dan Berkowitz, director of corporate communications
at Keynote.
The reliability measurement of the "Keynote Business 40," an index of large and highly trafficked Web sites, decreased by
around 1.5 percent to 95.5 percent Monday morning, which experts at the company believe is due to the MyDoom worm, Berkowitz
said.
Keynote, of San Mateo, California, was still analyzing the slowdowns Monday, but said that it noticed more pronounced slowdowns
in search features offered by the 40 Web sites during the same period, and that it measured slowdowns at the four search engines
targeted by MyDoom.O, he said.
Antivirus companies advised customers to update their virus definitions to detect the MyDoom.O worm.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
