Performance problems reported at major Internet search engines were not the result of a direct denial-of-service attack launched by the latest variant of the MyDoom worm, anti-virus researchers said Monday.
The latest version, variously named MyDoom.M, [email protected] or MyDoom.O, is slightly different from earlier versions because it uses the search engines to verify and locate additional e-mail domains to infect, said Lloyd Taylor, vice president of technology and operations at Keynote Systems Inc. of San Mateo, Calif.
The worm spread rapidly as people arrived at work Monday morning and began clicking on e-mail messages that included the worm code, Taylor said. The worm “started spreading so quickly that the sheer number of machines doing e-mail searches overloaded the search engines ability to handle them,” Taylor said.
Internet users experienced intermittent problems on Monday with accessing popular search engines including Google, Yahoo, Lycos and AltaVista, according to Trend Micro Inc.
Search engine performance started to return to normal Monday afternoon, Taylor said, after the search engines effectively blocked the MyDoom e-mail searches. The access interruptions were scattered and intermittent, Taylor noted. Users in one part of a large city such as New York might report outages, while users in another area would have no problem accessing the search engines.
But PC users whose machines were infected face potential problems in the future. As in earlier MyDoom variants, the worm implants a “back door” into the operating system that will allow an intruder to take control of a machine and potentially use it as a spam or pornography distribution server, Taylor said.
Users should ensure that their anti-virus protection software is updated. They should run a virus scan if they have any suspicion that they deployed the worm on their system.
This particular MyDoom variant spread quickly because it used a form of “social engineering” to trick users into clicking on the infected file, which might be in the form of a .txt, .doc, .com or .exe file, Taylor noted. It usually took the form of a warning from a corporate IT department saying that it appeared a users machine had been used as a spam server.
The message also told the users to click on the file attachment to get instructions on how to remove the spam server from their machines. But clicking on the file would actually deploy the worm.
The rapid spread of MyDoom.M is not an indication that virus attacks are getting more sophisticated or are more of a threat today to search engines or to other online software platforms, Taylor said. All e-mail users are just as vulnerable today as they always have been, Taylor said.
But the search engine sites showed they could respond rapidly to block the problem, Taylor said. Major software and product distribution sites such as Salesforce.com, Siebel.com, Oracle.com and Amazon.com all have security in place to ward off such attacks, he said.
The latest worm attack mainly shows that PC users are as naive as ever about opening potentially damaging e-mail attachments, Taylor said. Users have to think twice before they click on any attachment that appears to be out of the ordinary, he said.
This latest worm isnt likely to cause long-lasting problems for either the search engines or corporate network managers, said Joseph Hartmann, director of North American anti-virus research at Trend Micro.
“This is more like a garden-variety virus infection,” he said. It may be causing initial trouble on some corporate local area networks, Hartmann said. But he said he doesnt believe it will be as damaging as some the other recent infections, such as the Bagle or Netsky worms.
“People arent going to remember this latest attack for very long after this week,” because it should prove relatively easy to block and clean from networks and personal machines, Hartmann said.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: