Users are advised to update their antivirus protection and steer clear of suspicious e-mail attachments, as a new variant of Mydoom rampages across the Internet. Like its ancestors, the new worm – known as both Mydoom-M and Mydoom-O -- mails itself through the simple mail transfer protocol disguised as a "returned mail" notification, several antivirus firms reported Monday. @
"The growth with this one has been phenomenal," said Sam Curry, vice president of eTrust Security Management for Islandia, N.Y.-based Computer Associates. "The sheer quantity of queries against four search engines has resulted in a huge denial of service."
While most antivirus firms have labeled the worm "medium risk," Computer Associates has raised it to "high risk" and Curry said late Monday afternoon that he won't be surprised if they raise it to "critical" in the next 12 hours. "Users should make sure their antivirus protection is up to date and that they are careful about the attachments they open. Don't give this worm any more fertile ground."
The worm bogged down the Lycos, Alta Vista, Yahoo and Google search engines Monday morning and afternoon, said Brian Mann, outbreak manager for Santa Clara, Calif.-based McAfee Inc. "This outbreak is higher than what we've seen in the past couple of months, though it's not as serious as the original Mydoom," Mann said. "My advice: block as many inbound attachments as you can."
Despite Curry's concern, Mann said Mydoom-M's sprint appeared to be slowing down late Monday, and he didn't think McAfee would be raising its risk assessment above "medium."
According to Tokyo-based antivirus firm Trend Micro, the worm first checks for an Internet connection, then connects through a mail exchanger. It harvests e-mail addresses from the Windows address book file of the affected system, and checks the addresses through search engines like Google and Yahoo. The worm then spoofs the sender's name of the e-mail it sends. Subject headers appear like a common delivery failure notification -- "status," "delivery reports about your e-mail" or "returned mail: see transcript for details" -- enticing the recipient to investigate the attachment.
The worm runs on Windows 95, 98, ME, NT, 2000 and XP. Like its predecessors, it arrives in an attachment bearing a .zip, .bat, .pif, .exe, or .scr extension. However, Trend Micro said, the file name is taken from the address where the worm is intended to be sent, making it seem relevant to the intended victim. Once inside the infected machine, the worm drops a copy of itself as "Java.exe" in the Windows folder and creates an auto run registry entry to execute at every system startup.
Helsinki, Finland-based antivirus firm F-Secure said the body of the e-mail Mydoom-M sends might read as follows: "Dear user of xxxxxxx.xxx, Your account was used to send a large amount of spam during this week. Obviously, your computer had been compromised and now runs a Trojan proxy server. Please follow instruction in order to keep your computer safe. Best wishes, xxxxxxx.xxx user support team."
"People naturally are concerned when they think their message has not gone through. The virus creator is taking advantage of users' behaviors," Joe Hartmann, senior virus researcher and analyst for Trend Micro, said in a statement.
Mark Sunner, chief technology officer of New York-based antivirus firm MessageLabs, said in a statement his firm has intercepted 23,000 copies of the worm since Monday.
"Sadly, people and businesses fall prey to every one of these new virus variations, ensuring that new variants will be written and new systems compromised," Sunner said. "We are now on the 15th variant of Mydoom, on the heels of multiple new Bagle variants. For many virus writers, success is not measured in millions of copies being sent; it's measured in the number of new computers hijacked for future use."