Nov črv – nove težave

Updated July 26th 2004 17:40 UTC (Handler: Johannes Ullrich)
* latest MyDOOM search engine use
Latest MyDoom search engine use

(initial analysis. more details, and eventual corrections, will be posted as they become available)

The latest version of MyDoom, which started arriving in peoples mail boxes in force today, uses search eninges to find more recipients for its message.

Once the virus is started, it searched the users files for domain names. Once it spotted a domain name (e.g. ‘@example.com’, or in ‘www.example.com’), it will search various search engines for valid e-mail addresses within these domains. These search engines include Lycos, Google, Altavista, Yahoo and possibly others. Some of the search strings used:

GET /default.asp?lpv=1&loc=searchhp&tab=web&query=e-mail+example.com

Some search engines report performance issues.

Antivirus vendors are currently publishing updated signature files. Please update ASAP. Infected machines can be identified by looking for excessive traffic to search engines and smtp traffic.