New worm uses Yahoo to spread

A week after Mydoom-M clogged high-profile search engines, Mydoom-Q/Evaman-C is using Yahoo to gain traction.

Antivirus firms are calling it both Mydoom-Q and Evaman-C, and agree it packs little punch. But like last week's Mydoom-M outbreak, the worm is using a high-profile search engine to gain traction; leaving security experts worried that attackers are quickly perfecting ways to send a damaging payload to many more users.

"This latest iteration is meaningful not because of a particularly damaging payload, but because it uses something we value as a means to reach a larger target," said Brian Cincera, security practice director for New York-based Greenwich Technology Partners Inc. "We rely on easy access to information through search engines. In this case, search engines represent an attractive option for those considering ways to best deliver damaging payloads to a wide target community."

A new Yahoo worm strikes

Editor's note: Check out our article, "JavaScript worm spreads through Yahoo Mail" for more on the JS.Yamanner worm that surfaced in June 2006.
While Mydoom-Q/Evaman-C is considered a low risk, Cincera said, "This kind of delivery with a destructive payload would make it front-page news. For an IT manager, it underscores the importance of having preventative technology at the endpoint."

The mass-mailing worm copies itself to the Windows system folder as "winlibs.exe" and adds the registry entry "HKLMSoftwareMicrosoftWindowsCurrentVersionRunwinlibs.exe." It e-mails a copy of itself to addresses found on the local hard disk in files with the extensions txt, dhtm, msg, htm, xml, eml, html, sht, shtm, shtml, jse, jsp, js, php, cfg, asp, ods, mmf, dbx, tbb, adb, pl and wab. It also sends itself to addresses it finds through Yahoo People Search. Santa Clara, Calif.-based McAfee Inc. said in an advisory that the worm arrives as an e-mail attachment with a spoofed address header, takes a common name within the virus body and attaches it to the recipient's domain name:, for example.

"The technique isn't new, but it is certainly becoming more popular," said Craig Schmugar, virus research manager for McAfee AVERT. "We're seeing more blending and blurring between viruses and spam."

Read our Mydoom-M coverage

Mydoom-M on Internet rampage

Users are advised to update their antivirus protection and steer clear of suspicious e-mail attachments, as a new variant of Mydoom rampages across the Internet.
Johannes Ullrich, chief technology officer for the Bethesda, Md.-based Internet Storm Center, agrees the worm's use of a search engine like Yahoo illustrates "further cleverness" on the part of attackers. "The intent of this worm and other recent versions is to increase their pool of e-mail addresses by using big search engines," he said. "In this case, Yahoo is the engine of choice, and while it doesn't change the landscape much for IT managers, it does show the virus writers are finding ways to get many more e-mail addresses."

Despite their concern that virus writers are perfecting the means of a more devastating attack, all agree this latest worm is nothing compared to Mydoom-M, which went on an Internet rampage last week and bogged down the Lycos, Alta Vista, Yahoo and Google search engines. The attack waned by Tuesday, but a new worm, W32.Zindos-A, took advantage of doors Mydoom-M left open.

Zindos was designed to perform a denial-of-service attack against, though it was not successful. It spread through the backdoor opened on TCP port 1034 by a Trojan horse called Backdoor.Zincite-A, which Mydoom-M dropped as part of its attack.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.