Article

New worm uses Yahoo to spread

Bill Brenner

Antivirus firms are calling it both Mydoom-Q and Evaman-C, and agree it packs little punch. But like last week's Mydoom-M outbreak, the worm is using a high-profile search engine to gain traction; leaving security experts worried that attackers are quickly perfecting ways to send a damaging payload to many more users.

"This latest iteration is meaningful not because of a particularly damaging payload, but because it uses something we value as a means to reach a larger target," said Brian Cincera, security practice director for New York-based Greenwich Technology Partners Inc. "We rely on easy access to information through search engines. In this case, search engines represent an attractive option for those considering ways to best deliver damaging payloads to a wide target community."

    Requires Free Membership to View

A new Yahoo worm strikes

Editor's note: Check out our article, "JavaScript worm spreads through Yahoo Mail" for more on the JS.Yamanner worm that surfaced in June 2006.
While Mydoom-Q/Evaman-C is considered a low risk, Cincera said, "This kind of delivery with a destructive payload would make it front-page news. For an IT manager, it underscores the importance of having preventative technology at the endpoint."

The mass-mailing worm copies itself to the Windows system folder as "winlibs.exe" and adds the registry entry "HKLMSoftwareMicrosoftWindowsCurrentVersionRunwinlibs.exe." It e-mails a copy of itself to addresses found on the local hard disk in files with the extensions txt, dhtm, msg, htm, xml, eml, html, sht, shtm, shtml, jse, jsp, js, php, cfg, asp, ods, mmf, dbx, tbb, adb, pl and wab. It also sends itself to addresses it finds through Yahoo People Search. Santa Clara, Calif.-based McAfee Inc. said in an advisory that the worm arrives as an e-mail attachment with a spoofed address header, takes a common name within the virus body and attaches it to the recipient's domain name: john@mydomain.com, for example.

"The technique isn't new, but it is certainly becoming more popular," said Craig Schmugar, virus research manager for McAfee AVERT. "We're seeing more blending and blurring between viruses and spam."

Read our Mydoom-M coverage

Mydoom-M on Internet rampage

Users are advised to update their antivirus protection and steer clear of suspicious e-mail attachments, as a new variant of Mydoom rampages across the Internet.
Johannes Ullrich, chief technology officer for the Bethesda, Md.-based Internet Storm Center, agrees the worm's use of a search engine like Yahoo illustrates "further cleverness" on the part of attackers. "The intent of this worm and other recent versions is to increase their pool of e-mail addresses by using big search engines," he said. "In this case, Yahoo is the engine of choice, and while it doesn't change the landscape much for IT managers, it does show the virus writers are finding ways to get many more e-mail addresses."

Despite their concern that virus writers are perfecting the means of a more devastating attack, all agree this latest worm is nothing compared to Mydoom-M, which went on an Internet rampage last week and bogged down the Lycos, Alta Vista, Yahoo and Google search engines. The attack waned by Tuesday, but a new worm, W32.Zindos-A, took advantage of doors Mydoom-M left open.

Zindos was designed to perform a denial-of-service attack against Microsoft.com, though it was not successful. It spread through the backdoor opened on TCP port 1034 by a Trojan horse called Backdoor.Zincite-A, which Mydoom-M dropped as part of its attack.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: