New MyDoom Variant Stalks More Victims

This latest worm variant of the MyDoom family was spreading more quickly than its cousins because of human gullibility, according to computer security experts.

"This one is much more successful in looking like a bounced or returned e-mail message," Charles Kaplan, managed security services information security officer at VeriSign (Nasdaq: VRSN) , told TechNewsWorld.

MyDoom.O is much more clever in imitating the kind of notification messages computer users are used to getting when their messages are returned as undeliverable.

Familiar Code with a Twist

Kaplan said that the first traces of activity surfaced around 8:30 yesterday morning on the U.S. East Coast. About one hour later virus protection companies were starting to issue alerts.

"Initially I didn't see anything out of the ordinary about this new virus strain. Like previous versions, it installs its own e-mail engine and scans the hard drive for domains," said Kaplan.

But MyDoom.O is more talented at replicating itself than earlier versions of the worm. The latest version takes the domain names it finds and searches the four major search engines for all known e-mail addresses at the target domains. Otherwise, nothing else about this latest MyDoom version is inherently different, he said.

This variant also has a back door component that will let hackers continue to take over computers already compromised by other virus infections, according to Kaplan.

Plays Up Fear Factor

The W32/MyDoom.O worm travels in the form of an e-mail attachment. The message itself pretends to be from the support team of either the users' Internet providers or their companies' IT departments. The varied messages all convey that the users' PCs have been used by hackers to send spam.

"Computer users are becoming aware that spammers take over innocent third party computers to send their marketing messages," said Graham Cluley, senior technology consultant for Sophos .

"This worm plays on that fear and pretends that users have already been hacked and exploited by spammers. All computer users should keep their antivirus up to date and ensure they never launch an unsolicited e-mail attachment," he said.

Analysis yesterday showed that MyDoom.O does not attack any software vulnerabilities. Its success rests purely on its cleverly executed social engineering, Chris Kraft, senior security analyst for Sophos, told TechNewsWorld.

Targets Top Four Search Engines

Analysis underway late yesterday at Sophos revealed coding in the new MyDoom variant that randomly selected one of the four major search engines to find e-mail addresses.

Google.com has a 45 percent probability of selection. Lycos has a 22.5 percent probability. Yahoo (Nasdaq: YHOO) has a 20 percent selection probability. Altavista.com has a 12.5 percent chance of being searched.

Kraft said the increased traffic to the Google (Nasdaq: GOOG) search engine yesterday caused a large number of search requests to be rejected by the server.

"Google's heuristics and defenses were triggering responses to search inquiries. The response was that the search can not be processed," he said.

Varied Script Tells Same Message

According to Kraft, the message text of the e-mail is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages

Version one:

Dear user of Mail server administrator of would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week. We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server . Please follow our instructions in the attachment file in order to keep your computer safe. Virtually yours user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at from

----- The following addresses had permanent fatal errors -----

----- Transcript of the session follows ----- ... while talking to host : >>> MAIL From:

<<< 501 User unknown Session aborted >>> RCPT To:

<<< 550 MAILBOX NOT FOUND

Version two:

Dear user

Your account was used to send a large amount of spam during this week. Obviously, your computer had been compromised and now runs a trojan proxy server. Please follow instruction in order to keep your computer safe.

Have a nice day, user support team.

Version three:

The message was undeliverable due to the following reason(s): Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters.

Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within days: Mail server is not responding. The following recipients did not receive this message:

Please reply to postmaster@ if you feel this message to be in error.

Protection Built In

Kraft said the latest MyDoom worm is coded with a list of some three dozen "Do Not Query" address. He said the worm writers probably did this in an attempt to keep their worm in the wild as long as possible.

VeriSign's Kaplan said private computer users and companies that don't have adequate firewall and software protections are most at risk by MyDoom.O.

"Corporations that limit outbound mail to permitted servers will be a lot safer," he said. "But that practice is not the default method at many businesses."