Antivirus firms are calling it both Mydoom-Q and Evaman-C, and agree it packs little punch. But like last week's Mydoom-M outbreak, the worm is using a high-profile search engine to gain traction; leaving security experts worried that attackers are quickly perfecting ways to send a damaging payload to many more users.
"This latest iteration is meaningful not because of a particularly damaging payload, but because it uses something we value as a means to reach a larger target," said Brian Cincera, security practice director for New York-based Greenwich Technology Partners Inc. "We rely on easy access to information through search engines. In this case, search engines represent an attractive option for those considering ways to best deliver damaging payloads to a wide target community."
The mass-mailing worm copies itself to the Windows system folder as "winlibs.exe" and adds the registry entry "HKLMSoftwareMicrosoftWindowsCurrentVersionRunwinlibs.exe." It e-mails a copy of itself to addresses found on the local hard disk in files with the extensions txt, dhtm, msg, htm, xml, eml, html, sht, shtm, shtml, jse, jsp, js, php, cfg, asp, ods, mmf, dbx, tbb, adb, pl and wab. It also sends itself to addresses it finds through Yahoo People Search. Santa Clara, Calif.-based McAfee Inc. said in an advisory that the worm arrives as an e-mail attachment with a spoofed address header, takes a common name within the virus body and attaches it to the recipient's domain name: firstname.lastname@example.org, for example.
"The technique isn't new, but it is certainly becoming more popular," said Craig Schmugar, virus research manager for McAfee AVERT. "We're seeing more blending and blurring between viruses and spam."
Despite their concern that virus writers are perfecting the means of a more devastating attack, all agree this latest worm is nothing compared to Mydoom-M, which went on an Internet rampage last week and bogged down the Lycos, Alta Vista, Yahoo and Google search engines. The attack waned by Tuesday, but a new worm, W32.Zindos-A, took advantage of doors Mydoom-M left open.
Zindos was designed to perform a denial-of-service attack against Microsoft.com, though it was not successful. It spread through the backdoor opened on TCP port 1034 by a Trojan horse called Backdoor.Zincite-A, which Mydoom-M dropped as part of its attack.