MyDoom Variant Zaps Search Engines, E-Mail

UPDATED: The most recent version of the e-mail worm uses search engines to find new victims to infect and may be the cause of delays on Google, AltaVista and Yahoo.

A new variant of the MyDoom worm that hit the Internet hard on Monday is causing massive e-mail slowdowns across the Web, and it may be to blame for problems plaguing several search engines.

Variously named MyDoom.M, MyDoom.M@mm or MyDoom.O, the new worm is little different from its predecessors in most of its behaviors and characteristics. But its one distinguishing feature is that it uses search engines to find new victims to infect. This may have been to blame for the delays that hit most of the popular search engines early Monday, including Google, AltaVista and Yahoo.

"The Google search engine experienced slowness for a short period of time early today because of the MyDoom virus, which flooded major search engines with automated searches," said Google spokesman Nathan Tyler. "A small percentage of our users and networks that have the MyDoom virus have been affected for a longer period of time. At no point was the Google website significantly impaired, and service for all users and networks is expected to be restored shortly."

Once the worm infects a machine, it searches the PC for e-mail addresses and then begins mailing itself out. But it also uses the search engines to find other valid e-mail addresses in the same domains as the ones it finds on the infected machine.

With thousands of machines estimated to be infected already, this flood of traffic to the search engines appears to be wreaking havoc. New York-based mail security company MessageLabs Inc. said it intercepted more than 23,000 copies of the worm in the first five hours.

/zimages/3/28571.gifRead more here about MyDoom slowing Web performance.

Some other Web sites appear to be experiencing outages as well, leading some security researchers to wonder about the timing of the virus outbreak and the outages.

"I dont believe in coincidences," said Sam Curry, vice president of the eTrust security division at Computer Associates International Inc., in Islandia, N.Y. "A lot of mail servers are having trouble, a lot of sites are going offline. Were looking to connect the dots.

"But you cant make assumptions at this point," Curry said. "Either someone is doing all of this and using the viruses as a diversion, or its all connected."

/zimages/3/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

MyDoom.O first appeared late Sunday night and has yet to reach its peak, Curry said. He believes it may go from its current severity rating of medium to high or possibly critical by Tuesday.

The worm attempts to fool users into opening the infected attachment by including a message that informs them that their PC has been sending out large amounts of spam recently and may be hosting a spam proxy.

The attachment is disguised as instructions for removing the proxy. The sending address is spoofed, and the name of the attachment typically includes the domain name of the recipient.

Meanwhile, Symantec Corp.s DeepSight Threat Services organization revised upwards its ThreatCon assessment for the latest attack from Level 2 to Level 3. Insiders familiar with the ratings service suggested this was an unusual move for the service.

Editors Note: This story was updated to include comments from Google representatives and additional information on the worm from security researchers.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.


Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/3/19420.gif