Experts say they can't understand why, yet a new variant of the Mydoom worm is on the move.
"It's yet another stupid worm that deserves to get absolutely nowhere, but will probably prey upon the unwitting populace," said Roger Thompson, director of malicious content research for Islandia, N.Y.-based Computer Associates Inc.
Mydoom-BB is just another variant of the Mydoom worm that first began circulating a little more than a year ago and has had varying degrees of success in infecting large number of users. Among its more inventive areas of attack have been three variants that targeted the Windows IFRAME vulnerability.
"With so many variants over the last year and more, this Mydoom variant stands out from the others with its blinding speed and its potential to hurt the public," said Sam Curry, vice president of eTrust Security Management at Computer Associates. "We've seen incremental improvements with little impact, but the blending of social engineering, subtle tricks and a devastating payload that can set up a network of abuse makes [this variant] stand out from the run-of-the-mill Mydooms."
Mydoom-BB [also called Mydoom-O and Mydoom-AW] uses its own SMTP engine, spoofs the From: address, spreads via peer-to-peer networks and downloads a Trojan, according to Bruce Hughes, director of malicious code research at Herndon, Va.-based Cybertrust. It travels as .exe, .com, .scr, .pif, .bat, .cmd and .zip files.
However, Mydoom-BB has one characteristic more interesting than its predecessors that is contributing to its spread.
"This worm is interesting not only because it has started to spread in the wild, and is actually seeing decent penetration, but because it is using search engines to harvest e-mail addresses," said Michael Murray, director of vulnerability and exposure research at San Francisco-based nCircle Network Security. "The worm is using Google, Altavista, Yahoo and Lycos to grab e-mail addresses for propagation. It can also propagate via P2P networks."
McAfee Inc. upgraded its threat level to medium today based on prevalence. The Beaverton, Oregon-based company said the worm was spreading in the U.S. and that it had also received reports from Australia and the U.K. It identified the Trojan as BackDoor.CEB-F and said Mydoom-BB will show Windows Explorer listening on TCP Port 1034. Panda Software meanwhile raised its threat level to high, as did Computer Associates.
McAfee said Mydoom-BB uses these subject lines:
- delivery failed
- Message could not be delivered
- Mail System Error - Returned Mail
- Delivery reports about your e-mail
- Returned mail: see transcript for details
- Returned mail: Data format error
Recommended mitigations include updating antivirus signatures as they become available, filtering executable attachments at the gateway and blocking or scanning compressed files.
"As always, the best defense against any type of mass-mailing worm such as this one is not to open e-mail attachments," said Murray. "Proper e-mail hygiene will stop or severely hinder this type of worm."
For more information, visit the McAfee Web site.