MyDoom Back For More

Another MyDoom variant is back and threatening Internet users by
spreading through e-mail addresses found on popular search engines, security
experts said.

Several security firms warn that the new worm, dubbed Mydoom.bb by
McAfee , is moving through the wild by sending copies of
itself using its own SMTP engine and collecting e-mail addresses from search
sites. The malicious code often fools users by pretending to be a mail
delivery error message.

“We haven’t seen a huge number yet,” Lysa Myers, a McAfee antivirus and
vulnerability emergency response team research (AVERT) engineer, said.

“It is par for the course for MyDoom,” Myers said. “It has a big initial
punch and then starts dying down after 24 hours.”

Once infected by the worm, it replicates itself under the name JAVA.EXE
and searches for e-mail addresses in the Windows address book and Internet
temporary files, Meyers.

The worm is then capable of selecting domain names from the addresses it
has collected and using them as search words in sites like Google, Yahoo and
Lycos, according to the McAfee report.

It also creates Windows registry entries so it runs with every reboot,
Meyers said.

McAfee raised the threat level of the worm to medium, while Symantec labeled
it a three on its five-point scale.

McAfee’s received more than 50 reports of the worm being spotted from
uses primarily in the United States.

The worm can also download the BackDoor-CEB.f Trojan , which serves as an HTTP proxy that tries to connect to remote IRC servers, Meyers said.

MyDoom first appeared in January 2004 and has spawned at least 30
variants since it made its way into the wild.

This variant
is similar to one that made its way around the globe last July, but security
experts believe the current incarnations will not pack such a strong punch.

News Around the Web