A new version of the MyDoom e-mail worm is swamping the Internet and slowing down search engines.
All leading anti-virus software companies have issued alerts for MyDoom.O, first detected yesterday. It arrives in e-mail message attachments that, once opened, install the virus and open a back door that remote attackers can use to access infected machines.
The O-variant is testing a new approach however - using major search engines to harvest e-mail addresses on Web domains that it discovers, slowing those sites, according to Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center.
"The standard scheme is for viruses to look for e-mail addresses in the Web cache," he said, referring to the store of previously visited Web pages stored on computer hard drives. But if MyDoom.O finds an e-mail address, in addition to sending a copy of itself to the address, it also does a Web search on the Web domain and uses the search results to discover more addresses in that domain, according to Ullrich.
The worm targets Google, Yahoo, Lycos and AltaVista.
A spokesman for Google acknowledged Monday that visitors experienced slowness for a short period of time that the company believes was related to the MyDoom worm. The spokesman could not say whether some users were still experiencing slow response at Google.com, but said that the Google website was not "significantly impaired" by the attacks. Technical staff at the company are investigating the slowdowns and expect to have service restored for all users shortly, he said.
Yahoo said it noticed the effect of the virus on Yahoo search as result of ongoing surveillance early Monday and implemented "backup procedures" to compensate for the increased traffic. The company said there was "minimal latency" in its site Monday morning, but that traffic and systems were running normally late Monday, according to Stephanie Ichinose, a Yahoo spokeswoman.
McAfee rated the new MyDoom version a "medium" threat, citing a large number of virus samples received by the company. Symantec ranked MyDoom.O, which it labelled MyDoom.M, a moderate threat.
Symantec later updated its threat rating on the new MyDoom variant to a "severe" threat, indicating a dangerous virus or worm that is difficult to contain. The company cited increased prevalence of the new worm on the Internet as a reason for increasing the severity of its warning, according to information provided by the company.
Like previous versions of MyDoom, MyDoom.O arrives in e-mail addresses sent from spoofed e-mail addresses and with vague subjects such as "hello," "error," and "status."
The worm uses a number of different ruses to fool e-mail recipients into opening the infected e-mail attachment. Among other things, the virus poses as an administrative message from the user's e-mail server and, ironically, as directions to remove a virus, said Joe Telafici, director of operations for McAfee's Anti-virus Emergency Response Team (AVERT).
The worm uses standard search syntax to look for e-mail addresses, which could make it difficult for search engines to separate MyDoom-generated traffic from other Internet queries, Ullrich said. He estimated that "a couple hundred thousand machines" may be infected with MyDoom.O. Those machines can generate huge volumes of search requests, which appear to be bogging down major search engines.
Though MyDoom.O is the fifteenth version of a worm that first appeared in January, and in most ways similar to the variants that came before it, the new techniques used by the latest variant appear to have been very successful. In addition to the Web searching, MyDoom.O also has improved features for spreading between computers connected over a peer-to-peer network and in the message body, which uses social engineering tricks to lure recipients into clicking on the virus file, he said.
"It's one of those things where the whole is greater than the sum of its parts," Curry said. "There's nothing here radically new, but there are some small incremental improvements that are leading to drastic improvements in the worm's ability to spread."
Anti-virus companies advised customers to update their virus definitions to detect the MyDoom.O worm.