Update: MyDoom.O hammering search engines

Antivirus software companies are warning e-mail users about a new version of the MyDoom e-mail worm, dubbed MyDoom.O, which is spreading on the Internet and causing slowdowns at search engines, including those run by Lycos Inc. and Google Inc.

Leading antivirus software companies issued alerts for MyDoom.O, which was first detected Monday and arrives in e-mail message attachments that, when open, install the virus and open a back door that remote attackers can use to access infected machines. While similar to other versions of MyDoom, the O-variant is testing a new approach: using major search engines to harvest e-mail addresses on Web domains that it discovers, slowing those sites, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.

"The standard scheme is for viruses to look (for e-mail addresses) in the Web cache," he said, referring to the store of previously visited Web pages stored on computer hard drives. But if MyDoom.O finds an e-mail address, in addition to sending a copy of itself to the address, it also does a Web search on the Web domain and uses the search results to discover more addresses in that domain, according to Ullrich.

The worm targets Google, Yahoo, Lycos. The AltaVista search engine owned by Overture Services, Inc. is also a target, according to a statement from Computer Associates International, Inc. The Lycos search engine could not be reached as this story was filed.

A spokesman for Google acknowledged Monday that visitors experienced slowness for a short period of time that the company believes was related to the MyDoom worm. The spokesman could not say whether some users were still experiencing slow response at Google.com, but said that the Google Web site was not "significantly impaired" by the attacks. Technical staff at the company are investigating the slowdowns and expect to have service restored for all users shortly, he said.

Yahoo said it noticed the effect of the virus on Yahoo search as result of ongoing surveillance early Monday and implemented "backup procedures" to compensate for the increased traffic. The company said there was "minimal latency" in its site Monday morning, but that traffic and systems were running "normally" late Monday, according to Stephanie Ichinose, a Yahoo spokeswoman.

McAfee Inc. rated the new MyDoom version a "medium" threat, citing a large number of virus samples received by the company. Symantec Corp. ranked MyDoom.O, which it labeled MyDoom.M, a "moderate" threat, indicating a "potentially dangerous" threat to the Internet.

Symantec later updated its threat rating on the new MyDoom variant to a "severe" threat, indicating a dangerous virus or worm that is difficult to contain. The company cited increased prevalence of the new worm on the Internet as a reason for increasing the severity of its warning, according to information provided by the company.

Like previous versions of MyDoom, MyDoom.O arrives in e-mail addresses sent from faked (or "spoofed") e-mail addresses and with vague subjects such as "hello," "error," and "status."

The worm uses a number of different ruses to fool e-mail recipients into opening the infected e-mail attachment. Among other things, the virus poses as an administrative message from the user's e-mail server and, ironically, as directions to remove a virus, said Joe Telafici, director of operations for McAfee's Antivirus Emergency Response Team (AVERT).