Update: MyDoom Worm Returns, Exploits Search Engines

MyDoom.o has propagated rapidly, already appearing in more then 10,000 enterprise networks, said Sam Curry, Vice President of eTrust Security Management, Computer Associates International, Islandia, N.Y.

Both new variants of the SMTP-based mass-mailing worm attempt to fool users into opening the e-mails in which they arrive by mimicking returned mail notifications. Common subject line headers include "delivery failure notification," "status," "delivery reports about your e-mail," and "returned mail: see transcript for details," according to security experts.

After opening the carrier e-mail, the worm "harvests target e-mail addresses from the Windows Address Book file of the affected system, and checks the addresses through search engines like Google and Yahoo. The worm then spoofs the sender's name on the e-mail it sends out," according to a security alert from vendor Trend Micro, Cupertino, Calif.

By leveraging the power of search engines, the new MyDoom worms are also wreaking havoc on Google, Lycos, Yahoo and Alta Vista, said Curry. Comparing these search engines to phone companies, Curry said "Imagine if you could take over every telephone company in the world and have them call your desk at the same time. That's a major denial of service attack in the works."

The worms arrive with a 28KB attachment. They affect Windows 98, ME, NT, 2000 and XP platforms. MyDoom.a was one of the Top 10 computer security threats in the first half of 2004, according to security vendor McAfee, Santa Clara, Calif.

Both CA and Trend Micro offer technical details and remediation information about the new MyDoom variants.