A MyDoom variation first spotted two days ago in the US uses the copycat tactic of querying a search engine for new victim addresses, security firms said as they dug deeper into the worm's code.
Dubbed MyDoom.p by some anti-virus vendors - and confusingly called MyDoom.q or Evaman.c by others - the worm's most distinctive trait is its use of Yahoo's People search site to find more email addresses.
The tactic was first tried by the voracious MyDoom.m/MyDoom.o last week. During a brief but vicious outbreak, that MyDoom variant deluged Google,
Alta Vista, Lycos, and Yahoo with search queries, slowing down Google's response and making it impossible for some users to access the engine.
"Copycat viruses are all the rage, so you didn't have to be psychic to predict the release of more worms trying to scoop up email addresses from search engines," said Graham Cluley, a senior technology consultant for security firm Sophos in a statement. "We expect to see other worm authors trying similar tricks in the future."
In all other ways, MyDoom.p was a typical MyDoom: it spread via emails masquerading as system or email server error messages, included an attached file, and tried to terminate various anti-virus and security processes on the target machine.
Because of its relatively slow spread, Yahoo's People search engine wasn't affected, and as of midday yesterday, was operating normally. Most anti-virus firms pegged MyDoom.p/q as a low-level threat. Symantec, for instance, tagged it as a '2' in its 1 through 5 scale, considerably lower than MyDoom.o or MYDoom.m's '4' at its worst.
In an alert on its website, Sophos also reminded users that both Microsoft and SCO have posted bounties totalling US$500,000 for information leading to the conviction of the author(s) behind MyDoom. Both companies were victims of denial-of-service (DoS) attacks launched by early editions of MyDoom in January.
"Someone in the computer underground must know who the person or people behind the MyDoom viruses are," said Cluley. "Those with knowledge which may help the investigation should come forward now."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
