Gary and others alert me to the depth and approach taken by what Andy has noted seems to be denial of service attacks on Google – in fact, it’s a virus that uses search engines in a clever and rather simple way to find more addresses. From a message forwarded to me by Gary (full text in continuation below):
MyDoom.O searches user files (DOC TXT HTM and HTML) for domain names, then
uses search engines (Lycos, AltaVista, Yahoo and Google) to search for
“e-mail” and the harvested domain in order to gain access to other email
addresses.
There is a strong likelihood that web-based lists such as phone books,
memberships, discussion boards and general user home pages will be
harvested by the machine and in turn infect others.
A search on Google using the same “e-mail” + domain method has generated a
“Forbidden” message, which may indicate activity on the part of the search
engines to thwart the virus.
]]>< ![CDATA[
—– Forwarded message from MailingLists@messagelabs.com —–
Date: Mon, 26 Jul 2004 21:13:59 GMT
From: MailingLists@messagelabs.com
Reply-To: MailingLists@messagelabs.com
Subject: MessageLabs Virus Advisory: W32/MyDoom.O-mm
To: Alerts Subscriber
MyDoom.O Designed to Target Search Engines
New York, NY – July 26, 2004 (3:00 pm ET) – MessageLabs, the leading
provider of managed email security services to businesses worldwide, is
advising computer users that W32.Mydoom.O contains multiple search engine
URLs and is using them to harvest additional domain email addresses.
MyDoom.O searches user files (DOC TXT HTM and HTML) for domain names, then
uses search engines (Lycos, AltaVista, Yahoo and Google) to search for
“e-mail” and the harvested domain in order to gain access to other email
addresses.
There is a strong likelihood that web-based lists such as phone books,
memberships, discussion boards and general user home pages will be
harvested by the machine and in turn infect others.
A search on Google using the same “e-mail” + domain method has generated a
“Forbidden” message, which may indicate activity on the part of the search
engines to thwart the virus.
“Because MyDoom.O contains web site links and directs recipients to
specific and targeted sites, this virus is in essence creating distributed
Denial of Service attacks against Lycos, AltaVista, Yahoo and Google,”
said Mark Sunner, Chief Technology Officer of MessageLabs.
The specific URLs contained in MyDoom.O are:
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s
http://www.altavista.com/web/results?q=%s&kgs=0&kls=0
http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s
According to initial intelligence now circulating, MyDoom.O can also
harvest emails from any Outlook Windows active on the compromised machine.
This will lead to additional propagation via SMTP even after a peak
infection period.
General Details
Name: W32/MyDoom.O-mm
Number of copies intercepted so far: 23,000 within first five hours
Time & date first captured: July 26, 2004; 4:40 AM ET
Origin of first intercepted copy: UK
MyDoom.O is a mass-mailing worm with an SMTP engine that sends emails to
addresses harvested from infected machines. The sender’s From: email
address is forged, and therefore does not indicate the true identity of
the sender. MyDoom.O may also spoof from the mailer-daemon@ address,
which is typically used to indicate a delivery failure, thus enhancing its
social engineering trickery.
The executable file is approximately 27,648 bytes in size. The virus is
also packed with UPX v1.0x and stored in a ZIP attachment.
NB: The virus is also being referred to as: MyDoom.M, I-Worm.Mydoom.M,
I-Worm.Mydoom. R, and W32/Mydoom.L.
File Types:
– PIF
– SCR
– DOC
– EXE
– HTM
Email Characteristics
From: Spoofed email address (including mailer-daemon@,
noreply@)
Subject: Random (see below)
Text: Various
Size: 27,648 bytes
Subject
· hi
· delivery failed
· Message could not be delivered
· Mail System Error – Returned Mail
· Delivery reports about your e-mail
· Returned mail: see transcript for details
· Returned mail: Data format error instruction
· MAILER-DAEMON
· “Mail Administrator”
· “Automatic Email Delivery Software”
· “Post Office”
· “The Post Office”
· “Bounced mail”
· “Returned mail”
· “Mail Delivery Subsystem”
Detection
MessageLabs detected all strains of this virus proactively, using its
unique and patented Skeptic™ predictive heuristics technology.
About MessageLabs
MessageLabs is the leading provider of managed email security services to
businesses worldwide. The company currently protects more than 8,500
businesses around the world from email threats such as viruses, spam and
other unwanted content before they reach their networks and without the
need for additional hardware or software. Powered by a global network of
control towers that currently spans 13 data centers in the United States,
the United Kingdom, Germany, the Netherlands, Australia and Hong Kong,
MessageLabs scans millions of emails a day on behalf of customers such as
The British Government, The Bank of New York, Bertelsmann, Bic, CSC, Conde
Nast Publications, EMI Music, Diageo, Orange, Random House, SC Johnson and
StorageTek. The company has more than 300 channel partners, including BT,
Cable & Wireless, CSC, IBM, MCI and Unisys and publishes real-time data
and analysis on viruses, spam, phishing scams and other email security
threats. MessageLabs’ statistics and experts are frequently quoted in
media outlets around the world and its executives regularly speak at
industry conferences. For more information on MessageLabs and its
industry-leading email security and management services, please visit
www.messagelabs.com.
About MessageLabs Intelligence
Through MessageLabs Intelligence, the company provides continuous and
regularly updated information, statistics and analysis on a range of email
security threats worldwide. MessageLabs Intelligence is based on live data
feeds pulled from our global network of control towers that scan millions
of emails daily. It is widely referenced and considered to be the latest,
most comprehensive data available on email security threats.