MyDoom.P is similar to most of the other MyDoom variants in that it arrives via e-mail, with a spoofed sending address and a subject line designed to make it look like the message is related to one that the recipient sent. Among the subject lines in the e-mails are "SN: New secure mail," "Secure delivery," "Re: Extended mail," "Delivery Status (Secure)," "Re: Server Reply" and "SN: Server Status."
The body of the e-mail contains any of a number of sentences, some of which refer to the included Zip file. Many of the messages reference security or refer to the attached file as a "secure Zip file."
Once opened, the executable file copies itself to the Windows system directory as "winlibs.exe." The executable contains a list of dozens of common first and surnames that it puts through Yahoos People Search in an attempt to find more e-mail addresses to mail itself to, according to a preliminary analysis of the worm done by the staff of the Internet Storm Center at The SANS Institute in Bethesda, Md.
MyDoom.O, released last week, used a similar ploy, plugging domain names into Yahoo, Google, AltaVista and Lycos search engines in an effort to find valid e-mail addresses. This caused severe slowdowns and periodic outages at several of the affected sites. As of midafternoon Tuesday, Yahoos People Search appeared to be responding normally.
Researchers on Monday discovered a new version of the Gaobot worm, which spreads through the back doors installed by MyDoom variants, among other avenues of infection. Gaobot.BAJ connects to an IRC server on port 6667 and waits for instructions from the attacker.
It then begins scanning the local network for machines sharing resources with the infected PC and tries to copy itself to those machines. Afterward, it begins scanning for PCs infected with any of the MyDoom worms and attempts to install itself through the back door these worms place on infected computers.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: