New MyDoom Variant Stalks More Victims

Computer virus companies spent yesterday scampering to develop defensesfor the newest strain of the MyDoom virus, dubbed MyDoom.O. By midmorning yesterday, thousands of e-mail inboxes were filling up withsubject lines — and even specifically forged e-mail header information– designed to encourage opening.

This latest worm variant of the MyDoom family was spreading more quicklythan its cousins because of human gullibility, according to computersecurity experts.

“This one is much more successful in looking like a bounced or returnede-mail message,” Charles Kaplan, managed security services informationsecurity officer at VeriSign, told TechNewsWorld.

MyDoom.O is much more clever in imitating the kind of notificationmessages computer users are used to getting when their messages arereturned as undeliverable.

Familiar Code with a Twist

Kaplan said that the first traces of activity surfaced around 8:30yesterday morning on the U.S. East Coast. About one hour later virusprotection companies were starting to issue alerts.

“Initially I didn’t see anything out of the ordinary about this newvirus strain. Like previous versions, it installs its own e-mail engineand scans the hard drive for domains,” said Kaplan.

But MyDoom.O is more talented at replicating itself than earlierversions of the worm. The latest version takes the domain names it findsand searches the four major search engines for all known e-mailaddresses at the target domains. Otherwise, nothing else about thislatest MyDoom version is inherently different, he said.

This variant also has a back door component that will let hackerscontinue to take over computers already compromised by other virusinfections, according to Kaplan.

Plays Up Fear Factor

The W32/MyDoom.O worm travels in the form of an e-mail attachment. Themessage itself pretends to be from the support team of either the users’Internet providers or their companies’ IT departments. The variedmessages all convey that the users’ PCs have been used by hackers tosend spam.

“Computer users are becoming aware that spammers take over innocentthird party computers to send their marketing messages,” said GrahamCluley, senior technology consultant for Sophos.

“This worm plays on that fear and pretends that users have already beenhacked and exploited by spammers. All computer users should keep theirantivirus up to date and ensure they never launch an unsolicited e-mailattachment,” he said.

Analysis yesterday showed that MyDoom.O does not attack any softwarevulnerabilities. Its success rests purely on its cleverly executedsocial engineering, Chris Kraft, senior security analyst for Sophos,told TechNewsWorld.

Targets Top Four Search Engines

Analysis underway late yesterday at Sophos revealed coding in the newMyDoom variant that randomly selected one of the four major searchengines to find e-mail addresses.

Google.com has a 45 percent probability of selection. Lycos has a 22.5percent probability. Yahoo has a 20 percent selection probability.Altavista.com has a 12.5 percent chance of being searched.

Kraft said the increased traffic to the Google search engine yesterdaycaused a large number of search requests to be rejected by the server.

“Google’s heuristics and defenses were triggering responses to searchinquiries. The response was that the search can not be processed,” hesaid.

Varied Script Tells Same Message

According to Kraft, the message text of the e-mail is constructed from aset of optional strings within the worm. The message sent is blank orsimilar to one of the following messages

Version one:

Dear user of Mail server administrator of would liketo inform you that We have detected that your e-mail account has beenused to send a large amount of unsolicited e-mail messages during thisrecent week. We suspect that your computer had been compromised by arecent virus and now runs a trojan proxy server. Please follow ourinstructions in the attachment file in order to keep your computer safe.Virtually yours user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at from —– The following addresses had permanent fatal errors ———- Transcript of the session follows —–… while talking to host :>>> MAIL From:> RCPT To:trojanproxy server. Please follow instruction in order to keep your computersafe.

Have a nice day, user support team.

Version three:

The message was undeliverable due to the following reason(s):Your message was not delivered because the destination computer wasnot reachable within the allowed queue period. The amount of timea message is queued before it is returned depends on local configura-tion parameters.

Most likely there is a network problem that prevented delivery, butit is also possible that the computer is turned off, or does nothave a mail system running right now.Your message was not delivered within days:Mail server is not responding.The following recipients did not receive this message:Please reply to postmaster@if you feel this message to be in error.

Protection Built In

Kraft said the latest MyDoom worm is coded with a list of some threedozen “Do Not Query” address. He said the worm writers probably did thisin an attempt to keep their worm in the wild as long as possible.

VeriSign’s Kaplan said private computer users and companies that don’thave adequate firewall and software protections are most at risk byMyDoom.O.

“Corporations that limit outbound mail to permitted servers will be alot safer,” he said. “But that practice is not the default method atmany businesses.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

LinuxInsider Channels