MyDoom puts spanner in search engines

27 Jul 2004

A variant of the Mydoom computer virus that infected thousands of computers in January is on the rampage again, hitting a number of major search engines including Google, Yahoo!, Altavista and Lycos.

Security firms monitored the rapid proliferation of the Mydoom.O mass-mailing worm, with UK-based MessageLabs saying that it had intercepted 23,000 copies in the first five hours of the outbreak.

Computer Associates announced that it has raised the threat level for the Mydoom.O worm to high, based on extremely intensive activity levels and exponential growth. CA said that it had received more than 1,000 samples from enterprise customers on Mydoom.O, which is bombarding a number of search engines with search requests.

This latest worm is a ‘blended’ or ‘hybrid’ threat, employing many techniques (e.g. file share and mail worm vectors, ‘spoofed’ email addresses, and backdoor Trojans) to deliver its harmful payload. Mydoom.O uses search engines and websites as it seeks to find new targets, and the sheer volume of such traffic effectively causes denial of service attacks.

“Since Mydoom.O can easily spread from PC to PC, it only takes a small number of uninformed victims to start an avalanche of infections,” said Sam Curry, vice president of eTrust security management at CA. “This underscores the importance of threat awareness and of safe computing practices. We all need to make sure that worms don’t find fertile ground to breed in.”

CA advised corporate and home users to check their security/antivirus vendor’s sites to keep track of the latest variants and to be careful to update their software at least daily as new virus strains emerge. It also advised computer users to verify any unsolicited emails with senders and noted that infected Mydoom.O emails could contain one of the following subject lines: hello, hi, error, status, test, report, delivery failed, Message could not be delivered, Mail System Error – Returned Mail, Delivery reports about your e-mail, Returned mail: see transcript for details and Returned mail: Data format error.

Meanwhile, another security vendor, Symantec, is giving MyDoom.O a threat ranking of ‘4’, the first time the company has used that ranking since Sasser, and McAfee is classifying it as ‘medium-on-Watch,’ a rating used just three times in 2003 and once this year.

By Brian Skelly