cancel
Showing results for 
Search instead for 
Did you mean: 

My Doom Varient Warning, Varient O

N/A

My Doom Varient Warning, Varient O

Hi,

I have just received today this alert message from MessageLabs which gives indepth details about the new varient of the MyDoom virus, this is varient O. See details below:-

MyDoom.O Designed to Target Search Engines

New York, NY – July 26, 2004 (3:00 pm ET) - MessageLabs, the leading provider of managed email security services to businesses worldwide, is advising computer users that W32.Mydoom.O contains multiple search engine URLs and is using them to harvest additional domain email addresses.


MyDoom.O searches user files (DOC TXT HTM and HTML) for domain names, then uses search engines (Lycos, AltaVista, Yahoo and Google) to search for "e-mail" and the harvested domain in order to gain access to other email addresses.


There is a strong likelihood that web-based lists such as phone books, memberships, discussion boards and general user home pages will be harvested by the machine and in turn infect others.


A search on Google using the same "e-mail" + domain method has generated a "Forbidden" message, which may indicate activity on the part of the search engines to thwart the virus.


“Because MyDoom.O contains web site links and directs recipients to specific and targeted sites, this virus is in essence creating distributed Denial of Service attacks against Lycos, AltaVista, Yahoo and Google,” said Mark Sunner, Chief Technology Officer of MessageLabs.


The specific URLs contained in MyDoom.O are:

http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s

http://www.altavista.com/web/results?q=%s&kgs=0&kls=0

http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s


According to initial intelligence now circulating, MyDoom.O can also harvest emails from any Outlook Windows active on the compromised machine. This will lead to additional propagation via SMTP even after a peak infection period.


General Details

Name: W32/MyDoom.O-mm
Number of copies intercepted so far: 23,000 within first five hours
Time & date first captured: July 26, 2004; 4:40 AM ET
Origin of first intercepted copy: UK

MyDoom.O is a mass-mailing worm with an SMTP engine that sends emails to addresses harvested from infected machines. The sender’s From: email address is forged, and therefore does not indicate the true identity of the sender. MyDoom.O may also spoof from the mailer-daemon@ address, which is typically used to indicate a delivery failure, thus enhancing its social engineering trickery.

The executable file is approximately 27,648 bytes in size. The virus is also packed with UPX v1.0x and stored in a ZIP attachment.

NB: The virus is also being referred to as: MyDoom.M, I-Worm.Mydoom.M, I-Worm.Mydoom. R, and W32/Mydoom.L.

File Types:
- PIF
- SCR
- DOC
- EXE
- HTM

Email Characteristics
From: Spoofed email address (including mailer-daemon@, noreply@)
Subject: Random (see below)
Text: Various
Size: 27,648 bytes

Subject
· hi
· delivery failed
· Message could not be delivered
· Mail System Error - Returned Mail
· Delivery reports about your e-mail
· Returned mail: see transcript for details
· Returned mail: Data format error instruction
· MAILER-DAEMON
· "Mail Administrator"
· "Automatic Email Delivery Software"
· "Post Office"
· "The Post Office"
· "Bounced mail"
· "Returned mail"
· "Mail Delivery Subsystem"

Best Regards Ivan
2 REPLIES
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

My Doom Varient Warning, Varient O

Hi Ivan,

We put an announcement out about this earlier today and we are now blocking the vast majority of these mails before they get to our customers, we caught 500 in just the first few minutes of the block being put on.
N/A

Replying

Hi Dave,

Yes! I had read the thread you made else where on the portal but I thought a second comment from another source might be useful for F9 users as message labs gave so much specific information about this varient. No disrespect intended to anyone at F9 and Yes! I am pleased to hear the action F9 have taken to quickly to reduce further spread.

**500 in one minute!!!!! Oh!! My goude!!!!!!!!!! 500!!!!!!!!!! you than me having to deal with that, phew!!

Best Regards Ivan Cool