A computer virus which affected the operation of Google yesterday is spreading like wildfire.
MyDoom-M (AKA MyDoom-O) has adopted a new trick of using search engines to find email addresses to target for infection. The worm queries search.lycos.com, search.yahoo.com, AltaVista, and Google in its attempts to harvest additional email addresses for possible distribution. Google blamed the virus after some users complained of search results turning up nothing but error messages.
User reports of problems with Google - along with problems accessing MSDN, Microsoft.com and Hotmail - poured into The Register yesterday afternoon. Netcraft, the Net monitoring firm, said it had noticed no performance problems with Microsoft.com and our inquiries to Akamai, which runs the content distribution network used by many Microsoft sites, also drew a blank. Microsoft said the worm did not affect its sites directly but may have affected the ability of some of its users to reach those sites.
Alex Shipp of email security firm MessageLabs, said early analysis of the worm has revealed nothing to suggest it targeted Microsoft sites directly. However, the volume of traffic generated by the worm may have downgraded system performance for many people, causing the problems observed by many of you.
MessageLabs blocked 23,000 copies of MyDoom-O within the first five hours of the worm's outbreak yesterday morning. Today anti-virus firm Symantec has upgraded the worm to a Level 4 threat (Level 5 is the most severe) due to increased submission rates.
Beware bogus security warning
Mydoom-O is a mass-mailing worm that opens a back door - Zincite-A - on port 1034/TCP of compromised PCs. This gives attackers remote, unauthorised access to infected PCs. MyDoom-O spreads aggressively through email, using its own SMTP engine. This mass mailing may clog mail servers and downgrade system performance.
The worm sends emails to addresses harvested from infected PCs as well as to email addresses it finds through search engines. The sender's From: email address is invariably forged, and therefore does not indicate the true identity of the sender. The subject and body of infected messages vary, but normally refer to bogus security warnings ostensibly from a user's own administrator. This social engineering ruse, although by no means new, helps explain MyDoom-O's wildfire spread.
Standard precautions apply to defending against the bug: update AV signature files and (if you're an admin) consider introducing controls to block executables at the gateway. If you're a regular user, be careful of those unsolicited attachments, even from people you know. As usual, MyDoom-O is a Windows-only menace. But security-conscious PC, Linux or Mac users are not wholly immune though, thanks to the blizzard of bounced and redirected messages generated as a result of MyDoom's spoofing behaviour. ®