A new variant of the MyDoom worm is kicking up a small online storm,
battering search engines and opening backdoors across the globe.
The variant, named by different anti-virus vendors as either MyDoom-M,
MyDoom-N or MyDoom-O, hit the Wild on Monday and spread rapidly.
Sporting a new twist in the way it propagates, the worm contains links
to several different search engines and tries to use them to harvest
Security analysts say some search engine sites, such as Google,
reportedly experienced some slow downs and possibly even intermittent
”This is the first time I’ve ever seen a worm perform a Google search
to harvest email addresses for an email routine,” says Ken Dunham,
director of malicious code for iDefense, Inc., a security intelligence
company based in Reston, Va. ”It’s interesting that this worm was
released while Google has a pending IPO. However, it appears that the
backdoor component of the worm is the real motive behind this widespread
The new variant, which appears to have peaked yesterday, still is
circulating in high numbers today, according to analysts from
MessageLabs, Inc., a managed email security company based in New York.
Analysts there report intercepting 599,641 copies of the virus so far.
But those numbers pale in comparison to the original MyDoom, which took
the Internet by storm this past January.
Mark Sunner, chief technical officer of MessageLabs, says they
intercepted more than 5 million copies of MyDoom-A in its first 24 hours
in the Wild.
”This is causing a fair bit of commotion, but this variant hasn’t got
anywhere near the numbers of the original,” says Sunner. ”But because
of what it’s done to the search engines, its ability to affect the
community as a whole is quite significant. Other than that, we’d call
this a medium level of aggression.”
Symantec Corp., an information security company based in Cupertino,
Calif., has labeled MyDoom-M as a Level 4 threat, with Level 5 being the
The new MyDoom variant is a mass-mailing worm with an SMTP engine that
sends copies of itself out to addresses harvested from infected machines
or off of search engines. The worm also carries a Trojan that is
installed on TCP Port 1034.
” The Trojan is what has got us worried,” says Dunham. ”This backdoor
has been completely changed from the one that was in earlier versions of
MyDoom… This is a very complicated backdoor. The code is very
difficult to wade through.”
MessageLabs’ Sunner says the backdoor carries some disturbing commercial
”This variant isn’t dangerous from a traditional standpoint. It’s not
deleting files or amending spreadsheets,” says Sunner. ”But all the
viruses these days have a commercial motivation to them. That Trojan can
be used as an effective spam sending mechanism…. I don’t think this
virus’ main intention was to create denial-of-service attacks on the
search engines. This is about spam.”
Is a Second Wave Coming?
Dunham says the new MyDoom variant is just the first line of attack in a
Today, Dunham’s analysts report finding Zindos-A in the Wild. The
malware scans for randomized IP addresses with TCP port 1034 open. This
is the port that the new MyDoom variant opens. Once it finds that open
port, Zindos-A uploads a copy of itself, which is then executed by a
mechanism inside the new MyDoom. After creating a .exe file on the
infected computer and modifying the Windows registry, Zindos-A attacks
the Microsoft.com Web site with a denial-of-service attack.
”It appears that the release of Zindos-A is part of a multi-stage
MyDoom attack against Microsoft.com and possibly to perform other
actions,” says Dunham.