Tuesday, July 27, 2004

Mydoom continues to cause chaos

Mydoom.m (http://www.viruslist.com/eng/viruslist.html?id=1927276), the latest version of I-Worm.Mydoom (http://www.viruslist.com/eng/viruslist.html?id=841769) is not only infecting machines around the globe, but reportedly causing problems for users of Google, Yahoo!, AltaVista and Lycos search engines.

The outbreak caused by Mydoom.m caused the search engines either to intermittently fail, or to return results far slower than usual. The most serious problems were experienced by users in the UK, France, and parts of the US.

This is a new twist in the long-running worm saga. Previous versions of Mydoom simply mass-mailed themselves to all addresses found on the victim machine. However, Mydoom.m has an additional trick. It not only harvests email addresses from the infected system and sends itself to these addresses, but also searches the machine's files for domain names. It then uses Google and other search engines to find additional email addresses in the same domain, and sends copies of itself to all these addresses.

'This worm has a very original approach to sending infected messages. The only similar method we've seen was when Swen (http://www.viruslist.com/eng/viruslist.html?id=88029) sent itself to newsgroups, having requested a list of accessible groups from the newsgroup server.' commented Alexander Gostev, a Kaspersky Labs' virus analyst. 'As for the problems experienced by some search engines, it appears that only Google actually put out a press release. Google normally processes more than 200 million search requests a day - are there really enough machines infected by Mydoom.m to put such a system out of commission?'

Google was the search engine hardest hit by the additional traffic. The search engine received approximately 45% of the additional queries generated by Mydoom.m. The intermittent failure of the service is certainly a major irritation for users accustomed to getting results at the press of a key. It took several hours for adjustments to be made so that Google functioned normally.

However, a far more serious worry is the backdoor component which Mydoom installs on victim machines. Anyone who opened the attachment to an infected message now has a system which is wide open, making it possible to remotely upload and execute programs.

So what conclusions can we draw from the latest outbreak? The facts are clear: Mydoom once again clogged mail-boxes, generated additional traffic and left search engine users frustrated. Most anti-virus software vendors were quick to issue an update to their signature databases. And what should users do? As ever, ensure that antivirus protection is kept up to date, and observe the golden rule: never open attachments in a mail message from an unknown source.