New MyDoom Variant Uses Yahoo People Search | eWeek

New MyDoom Variant Uses Yahoo People Search

Écrit par
Dennis Fisher
Dennis Fisher
Aug 3, 2004
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Another new version of MyDoom is worming its way through the Internet, and this variant—like the last one—uses Yahoo as part of its infection routine.

MyDoom.P is similar to most of the other MyDoom variants in that it arrives via e-mail, with a spoofed sending address and a subject line designed to make it look like the message is related to one that the recipient sent. Among the subject lines in the e-mails are “SN: New secure mail,” “Secure delivery,” “Re: Extended mail,” “Delivery Status (Secure),” “Re: Server Reply” and “SN: Server Status.”

/zimages/3/28571.gifClick hereto read about MyDoom.O, another recent variant.

The body of the e-mail contains any of a number of sentences, some of which refer to the included Zip file. Many of the messages reference security or refer to the attached file as a “secure Zip file.”

Once opened, the executable file copies itself to the Windows system directory as “winlibs.exe.” The executable contains a list of dozens of common first and surnames that it puts through Yahoos People Search in an attempt to find more e-mail addresses to mail itself to, according to a preliminary analysis of the worm done by the staff of the Internet Storm Center at The SANS Institute in Bethesda, Md.

MyDoom.O, released last week, used a similar ploy, plugging domain names into Yahoo, Google, AltaVista and Lycos search engines in an effort to find valid e-mail addresses. This caused severe slowdowns and periodic outages at several of the affected sites. As of midafternoon Tuesday, Yahoos People Search appeared to be responding normally.

Researchers on Monday discovered a new version of the Gaobot worm, which spreads through the back doors installed by MyDoom variants, among other avenues of infection. Gaobot.BAJ connects to an IRC server on port 6667 and waits for instructions from the attacker.

It then begins scanning the local network for machines sharing resources with the infected PC and tries to copy itself to those machines. Afterward, it begins scanning for PCs infected with any of the MyDoom worms and attempts to install itself through the back door these worms place on infected computers.

/zimages/3/28571.gifCheck outeWEEK.coms Se-curity Centerat http://security.eweek.com for security news, views and analysis.

/zimages/3/77042.gif

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:/zimages/3/19420.gifhttp://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.