MyDoom.O hammering search engines

Anti-virus software companies are warning e-mail users about a new version of the MyDoom e-mail worm, dubbed MyDoom.O, which is spreading on the Internet and causing slowdowns at search engines, including those run by Lycos and Google.

Leading anti-virus software companies issued alerts for MyDoom.O, which was first detected Monday and arrives in e-mail message attachments that, when open, install the virus and open a back door that remote attackers can use to access infected machines. While similar to other versions of MyDoom, the O-variant is testing a new approach: using major search engines to harvest e-mail addresses on Web domains that it discovers, slowing those sites, according to Johannes Ullrich, chief technology officer at The SANS Institute’s Internet Storm Center.

“The standard scheme is for viruses to look (for e-mail addresses) in the Web cache,” he said, referring to the store of previously visited Web pages stored on computer hard drives. But if MyDoom.O finds an e-mail address, in addition to sending a copy of itself to the address, it also does a Web search on the Web domain and uses the search results to discover more addresses in that domain, according to Ullrich.

Ullrich estimated that “a couple hundred thousand machines” may be infected with MyDoom.O. Those machines can generate huge volumes of search requests, which appear to be bogging down major search engines. A number of sources reported difficulty reaching Google, Yahoo and other sites Monday. The Lycos search engine could not be reached as this story was filed.

Google declined to comment for the story. Yahoo was unable to immediately comment.

McAfee rated the new MyDoom version a “medium” threat, citing a large number of virus samples received by the company. Symantec ranked MyDoom.O, which it labeled MyDoom.M, a “moderate” threat, indicating a “potentially dangerous” threat to the Internet.

Like previous versions of MyDoom, MyDoom.O arrives in e-mail addresses sent from faked (or “spoofed”) e-mail addresses and with vague subjects such as “hello,” “error,” and “status.”

The worm uses a number of different ruses to fool e-mail recipients into opening the infected e-mail attachment. Among other things, the virus poses as an administrative message from the user’s e-mail server and, ironically, as directions to remove a virus, said Joe Telafici, director of operations for McAfee’s Antivirus Emergency Response Team (AVERT).

McAfee received about 40 MyDoom.O virus samples per hour since first identifying the new variant at around 6:30 a.m. Pacific Time, Telafici said. That’s a more sustained rate than recent outbreaks like Bagle.AF, which died out quickly after first appearing. Some anti-virus researchers attribute such spikes to virus “seedings” that use compromised machines, or “zombies,” to distribute virus-infected e-mail to millions of machines simultaneously.

The fact that MyDoom.O submissions have remained high may be evidence that the virus is spreading and generating its own mail traffic, Telafici said.

At Boston College in Chestnut Hill, Massachusetts, network administrators saw a spike in MyDoom.O e-mail between 7:00 a.m. and 10:00 a.m. Eastern Time, but the virus-generated e-mail dropped off sharply after anti-virus companies, including McAfee and Sophos, released virus definition updates to detect MyDoom.O, said David Escalante, director of computer security at the college.

Anti-virus companies advised customers to update their virus definitions to detect the MyDoom.O worm.