Update: MyDoom.O hammering search engines

Lycos, Google slowed down

Like other mass-mailing worms, MyDoom.O avoids sending messages to antivirus company domains such as Sophos (PLC) and Trend (Micro Inc.) It also tries to skirt large Web e-mail providers by not sending e-mail to the Hotmail, Yahoo and Google domains, among others, according to antivirus companies.

The worm uses standard search syntax to look for e-mail addresses, which could make it difficult for search engines to separate MyDoom-generated traffic from other Internet queries, Ullrich said.

Ullrich estimated that "a couple hundred thousand machines" may be infected with MyDoom.O. Those machines can generate huge volumes of search requests, which appear to be bogging down major search engines.

Though MyDoom.O is the fifteenth version of a worm that first appeared in January, and in most ways similar to the variants that came before it, the new techniques used by the latest variant -- including its use of Web search engines to harvest e-mail addresses -- may be paying off and encouraging the spread of the O version, said Sam Curry, vice president of eTrust Security Management at CA.

In addition to the Web searching, MyDoom.O also has improved features for spreading between computers connected over a peer to peer (P-to-P) network and in the message body, which uses "social engineering" tricks to lure recipients into clicking on the virus file, he said.

"It's one of those things where the whole is greater than the sum of its parts," Curry said. "There's nothing here radically new, but there are some small incremental improvements that are leading to drastic improvements in the worm's ability to spread."

McAfee received about 40 MyDoom.O virus samples per hour since first identifying the new variant at around 6:30 a.m. Pacific Time, Telafici said. That's a more sustained rate than recent outbreaks like Bagle.AF, which died out quickly after first appearing. Some antivirus researchers attribute such spikes to virus "seedings" that use compromised machines, or "zombies," to distribute virus-infected e-mail to millions of machines simultaneously.

CA also upgraded its warnings about the worm to "medium" on Monday. The company said it received more than 1,000 samples of the virus from customers since identifying the worm early Monday.

The fact that MyDoom.O submissions have remained high may be evidence that the virus is spreading and generating its own mail traffic, Telafici said.

At Boston College in Chestnut Hill, Massachusetts, network administrators saw a spike in MyDoom.O e-mails between 7:00 a.m. and 10:00 a.m. Eastern Time, but the virus-generated e-mail dropped off sharply after antivirus companies, including McAfee and Sophos PLC, released virus definition updates to detect MyDoom.O, said David Escalante, director of computer security at the college.

Web performance measurement company Keynote Systems Inc. said that it noticed a decrease in the responsiveness of 40 major Web sites that it manages, beginning at around 7:00 AM Pacific Time on Monday, said Dan Berkowitz, director of corporate communications at Keynote.

The reliability measurement of the "Keynote Business 40," an index of large and highly trafficked Web sites, decreased by around 1.5 percent to 95.5 percent Monday morning, which experts at the company believe is due to the MyDoom worm, Berkowitz said.