MyDoom brings down Google

A pesky new variant of the MyDoom worm has slammed four popular search engines and continued to clog email accounts around the world.

The new version, variously dubbed MyDoom.M or MyDoom.O, was first detected early on Monday morning and quickly went on to flood many mailboxes with hundreds of messages. It has also slowed Google, Yahoo!, AltaVista and Lycos to a crawl, because once it infects a PC, the virus automatically performs web searches on those search engines.

Email screening company MessageLabs said it had intercepted more than 23,000 copies of the variants in the first five hours of their existence. McAfee Avert, the virus-tracking squad at the antivirus software maker, rated the worm a "medium on watch," or right below a high-risk vulnerability. Tens of thousands of PCs have been infected by the worm, which was first detected just before 6 a.m. PDT. The biggest impact, however, has been on the search engines.

Google, Lycos and AltaVista have been sporadically out of service all morning, while Yahoo! has been slow. That's a function of how the worm spreads, said Craig Schmugar, a virus researcher at McAfee. Once installed, the virus searches for email addresses on the host computer's hard drive, and then it looks for more by running queries on all four search engines.

"It is kind of an inadvertent [denial-of-service] attack," he said, because the search sites are being knocked out in the quest for more email addresses. This is a twist on MyDoom: Earlier variants looked for email addresses only on the host hard drive.

The worm uses the search sites to find any published email addresses with the same domain name as the main email address on the infected computer, said Vincent Weafer, senior director for security company Symantec's security response centre. If you're infected, and your main email address ends with @mycompany.com, for example, the worm will mainly attempt to propagate itself to other mycompany.com addresses.

The technique offers several evolutionary advantages, Weafer said, most significantly the psychological advantage of having infected messages look as if they come from co-workers. "It's really the special engineering aspect of making you think it's coming from someone inside your company," Weafer said.

Keeping infections in-house may also be a technological advantage, Weafer said. "We've seen from other viruses that if you propagate on the local network, it's just faster," he said.

Security experts said the new variants first surfaced in Europe and spread quickly, thanks to several factors. Messages sent by the variants pose as either a "returned mail" message from a postmaster or an alert from an internal IT administrator. Although the bounced mail spoofs weren't likely to prompt a second look, said Joe Telafici, director of operations McAfee, those posing as a corporate IT missive were realistic enough to fool some workers.

"It appears close enough to something your IT department might send you that it could fool some people," Telafici said.

The worm also delivers a mixed payload, with only a handful of messages going through with a .zip attachment, a recently popular technique used by virus writers to avoid corporate security systems. MyDoom.M mainly arrives as a simple executable program file, Telafici said, making it more damaging for anyone who gets fooled into opening a message. "It takes fewer steps to infect yourself, which is helping [the worm] spread," he said.

Individuals may not notice a huge performance hit on their own PCs if they are connected to broadband and have a computer that is only a few years old, Schmugar said. The queries are fairly low-impact events. However, only a few medium-on-watch risks come up a year, he said, and the search engines are feeling the pinch.

The original MyDoom surfaced early this year and quickly ranked as one of the worst email pests ever. The original worm has since spawned numerous offshoots, including one specifically programmed to attack Linux antagonist SCO.

Marty Lindner, senior member of the technical staff at the Computer Emergency Response Team (CERT) at Carnegie Mellon University, added that the virus also comes with a back door that potentially enables a hacker to take control of an infected system. Several worms open back doors and harvest email addresses. The novelty of this latest variant is that it appears to be able to launch queries. Linder, however, stated that CERT has not fully confirmed the query function as yet.

David Becker and Michael Kanellos write for CNET News.com