MyDoom Variant Searches Google For New Victims

Dubbed MyDoom.as, MyDoom.au, or MyDoom.bb -- depending on the anti-virus vendor -- the worm is essentially the same as MyDoom.o, which debuted in July 2004. The biggest difference, said experts, is that it's assembled with a different code "packager."

"It's basically the same as MyDoom.o," said Graham Cluley, a senior technology consultant with U.K.-based security vendor Sophos. "It's packaged with 'mew,' a tool that some hackers use to disguise their malware."

While early results were mixed Thursday morning -- some vendors said that the new MyDoom was spreading relatively slowly, while others said just the opposite -- all have raised their warning ratings for the malicious code to at least medium.

"We're not seeing MyDoom as particularly significant," said Cluley. "It's currently the ninth most common virus we're seeing, but it's accounting for just two percent of all viruses and worms, far below that of, say, old versions of Netsky or Zafi."

Sam Curry, the vice president of Computer Associates' eTrust security group, had a different take. "We're raising MyDoom.au to 'high' in part because of the rate at which it's spreading."

MyDoom.o in 2004, and today's variation, share several characteristics, most notably code that uses four search sites -- Google, Yahoo, AltaVista, and Lycos -- to sniff out additional e-mail addresses to use for propagating.

"Like other e-mail worms, it searches your hard drive for addresses, but then it uses the domain names it's found to discover other victims via search engines," said Cluley. "So, if it finds the e-mail address "[email protected]" on your drive, it then searches Google and perhaps finds Donald Duck and Bambi's addresses, too."

Unlike last summer, however, when Google's (and other search sites') performance suffered because of the large number of searches run by infected machines, it's unlikely it (and others) will be affected by the newest MyDoom.

"I don't expect that to happen this time," said Cluley. "For one thing, there doesn't seem to be a critical mass. And Google and others took action last year, so that when they get these types of requests now, they just reject them."

Benchmarking data from Web monitoring and metrics vendor AlertSite bore out Cluley's prediction. "We report no impact to Yahoo and Google," said a spokesman for the Boca Raton, Fla.-based company.

MyDoom.as/au/bb has common characteristics with other members of the family, including posing as an e-mail system error message, disguising the payload in a variety of file formats (including .zip), and most damaging, depositing a backdoor on the infected PC.

"The variant knocking at the front door is familiar, but it's leaving the backdoor open to something much more sinister," said CA's Curry. "It's creating a zombie network."

The backdoor Trojan, which was identified as Gawo by CA, CEB.f by McAfee, and Nemog.d by Symantec -- naming consistency isn't one of the anti-virus industry's strengths -- opens port 1034 and listens for commands from the controlling hacker.

"This is typical of worms and viruses," said Cluley. "Hackers try to download a backdoor component which they can then use to upload other programs to conduct spam or denial-of-service attacks."

Cluley and Curry, as well as representatives from other security firms, urged users to update their virus definition files (although some vendors will detect the new MyDoom as is).

Several anti-virus companies have posted detection and removal tools, including this one from Symantec.

When MyDoom recently had its first "anniversary," experts pegged the worm as a "turning point" and "major milestone" in worm creation, thanks to the for-profit motivation of its writer(s), who are more interested in creating vast armies of compromised machines than gaining 15 minutes of infamy.

As Thursday's example shows, MyDoom is far from dead, said Curry of Computer Associates. "MyDooms usually come in a string of four or five in a row that use essentially the same code, but every now and then one uses the right combination of social engineering or code to spread faster," he said.

"[MyDoom] may be a year old, but it can still be prolific," he said.