MyDoom.M Worm

The shut-down of Google yesterday and heavy impact on Yahoo, Lycos and other directories and search engines was caused by a new version of the Mydoom e-mail worm, dubbed W32.Mydoom.M@mm (Symantec), W32/Mydoom.o@MM (McAfee), W32/MyDoom-O (Sophos), WORM_MYDOOM.M (Trend), Win32.Mydoom.O (Computer Associates).

Virus programs normally search for e-mail addresses in the cache of previously visited web pages stored on your computer hard drive or your address book. It then sends a copy of itself to those addresses. When the Mydoom.M finds an e-mail address it sends a search engine enquiry and uses the results to discover yet more addresses in that domain. This is what is clogging up the search engines.

Symantec ranked Mydoom.M a Category 4 threat, indicating a 'potentially dangerous' threat to the Internet. Like previous versions of Mydoom, Mydoom.M arrives in e-mail addresses sent from faked or spoofed e-mail addresses and with vague subjects such as "hello," "error," and "status." The attachment with a .bat, .cmd, .com, .exe, .pif, .scr, or .zip extension; it may also have a second extension, which will either be .doc, .txt, .htm, or .html. The worm also uses a number of different ruses to fool e-mail recipients into opening the infected e-mail attachment, including poses as an administrative message from your e-mail server with directions to remove a virus.

Recommended Actions:

1. Update their virus definitions to detect the Mydoom.M/O worm.
2. If you are a company, remind your staff of your policy (assuming you have one!) on Internet use.
3. Be vigilant regarding opening attachments.