MyDoom hammers search engines

Google, Lycos and other search engines yesterday buckled under the strain of a new version of the MyDoom e-mail worm, dubbed...

Google, Lycos and other search engines yesterday buckled under the strain of a new version of the MyDoom e-mail worm, dubbed MyDoom.O.


Leading anti virus software companies issued alerts for MyDoom.O, which was first detected Monday and arrives in e-mail message attachments that, when open, install the virus and open a back door that remote attackers can use to access infected machines.


While similar to other versions of MyDoom, the O-variant breaks new ground by using major search engines to harvest e-mail addresses on Web domains that it discovers, which slows those sites, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Centre.


"The standard scheme is for viruses to look (for e-mail addresses) in the Web cache," he said, referring to the store of previously visited Web pages stored on computer hard drives. But if MyDoom.O finds an e-mail address, in addition to sending a copy of itself to the address, it also does a Web search on the Web domain and uses the search results to discover more addresses in that domain, according to Ullrich.


The worm is targeting Google, Yahoo, Lycos and the AltaVista search engine owned by Overture Services, according to a statement from Computer Associates International, Inc. The Lycos search engine could not be reached as this story was filed.


A spokesman for Google acknowledged on Monday that the site was slow for a short period, which the company believes was related to the MyDoom worm.


Yahoo said it noticed the effect of the virus on Yahoo search as result of ongoing surveillance early Monday and implemented "backup procedures" to compensate for the increased traffic. The company said that traffic and systems were "normal by late Monday.


Anti-virus vendor Symantec yesterday updated its threat rating on the new MyDoom variant from "moderate" to severe" threat, indicating a dangerous virus or worm that is difficult to contain. The company cited increased prevalence of the new worm on the Internet as a reason for increasing the severity of its warning, according to information provided by the company.


Like previous versions of MyDoom, MyDoom.O arrives in e-mail addresses sent from faked (or "spoofed") e-mail addresses and with vague subjects such as "hello," "error," and "status."


The worm uses a number of different ruses to fool e-mail recipients into opening the infected e-mail attachment. Among other things, the virus poses as an administrative message from the user's e-mail server and as directions to remove a virus, said Joe Telafici, director of operations for McAfee's Antivirus Emergency Response Team (AVERT).


Like other mass-mailing worms, MyDoom.O avoids sending messages to anti virus company domains. It also tries to skirt large Web e-mail providers by not sending e-mail to the Hotmail, Yahoo and Google domains, among others, according to anti virus companies.


The worm uses standard search syntax to look for e-mail addresses, which could make it difficult for search engines to separate MyDoom-generated traffic from other Internet queries, Ullrich said.


Ullrich estimated that "a couple hundred thousand machines" might be infected with MyDoom.O. Those machines can generate huge volumes of search requests, which appear to be bogging down major search engines.


MyDoom.O is the fifteenth version of a worm that first appeared in January, but its modification to use Web search engines to harvest e-mail addresses may be have paid off for the virus writers said Sam Curry, vice president of eTrust Security Management at CA.


In addition to the Web searching, MyDoom.O also has improved features for spreading between computers connected over a peer to peer (P-to-P) network and in the message body, which uses "social engineering" tricks to lure recipients into clicking on the virus file, he said.


"It's one of those things where the whole is greater than the sum of its parts," Curry said. "There's nothing here radically new, but there are some small incremental improvements that are leading to drastic improvements in the worm's ability to spread."


Web performance measurement company Keynote Systems said that it noticed a decrease in the responsiveness of 40 major Web sites that it manages, beginning at around 7:00 AM Pacific Time on Monday.


Antivirus companies advised customers to update their virus definitions to detect the MyDoom.O worm.


Paul Roberts writes for IDG News Service

Read more on Hackers and cybercrime prevention