RealTime IT News

MyDoom Back For More

Another MyDoom variant is back and threatening Internet users by spreading through e-mail addresses found on popular search engines, security experts said.

Several security firms warn that the new worm, dubbed Mydoom.bb by McAfee , is moving through the wild by sending copies of itself using its own SMTP engine and collecting e-mail addresses from search sites. The malicious code often fools users by pretending to be a mail delivery error message.

"We haven't seen a huge number yet," Lysa Myers, a McAfee antivirus and vulnerability emergency response team research (AVERT) engineer, said.

"It is par for the course for MyDoom," Myers said. "It has a big initial punch and then starts dying down after 24 hours."

Once infected by the worm, it replicates itself under the name JAVA.EXE and searches for e-mail addresses in the Windows address book and Internet temporary files, Meyers.

The worm is then capable of selecting domain names from the addresses it has collected and using them as search words in sites like Google, Yahoo and Lycos, according to the McAfee report.

It also creates Windows registry entries so it runs with every reboot, Meyers said.

McAfee raised the threat level of the worm to medium, while Symantec labeled it a three on its five-point scale.

McAfee's received more than 50 reports of the worm being spotted from uses primarily in the United States.

The worm can also download the BackDoor-CEB.f Trojan , which serves as an HTTP proxy that tries to connect to remote IRC servers, Meyers said.

MyDoom first appeared in January 2004 and has spawned at least 30 variants since it made its way into the wild.

This variant is similar to one that made its way around the globe last July, but security experts believe the current incarnations will not pack such a strong punch.