Windows worm weaves its way with search engines

Silicon Valley/San Jose Business Journal ^ | 2/17.05 | American City Business Journals Inc.

[TomServo]

Windows worm weaves its way with search engines A new worm that uses Internet search engines to spread rapidly was detected Thursday, according to antivirus software maker Panda Software, a private company based in Bilbao, Spain, which operates in the U.S. as PandaLabs of Glendale, in Southern California.

Called "MydoomAO," the worm uses Mountain View-based Google (NASDAQ: GOOG), Altavista, Sunnyvale-based Yahoo (NASDAQ: YHOO) and Lycos to search for e-mail addresses to which to send itself. In order to trick users, the worm pretends to be a mail delivery error message.

In this way, a single infected computer can distribute thousands of copies of the worm in just a few minutes, PandaLabs says. This means that probability of a Windows-based computer becoming infected by the Mydoom.AO worm is high.

The worm affects computers running Windows 2003/XP/2000/NT only, according to PandaLabs.

If a user becomes infected by the worm, it creates a copy of itself under the name JAVA.EXE and searches for e-mail addresses in the Windows address book, Internet temporary files, and in files on the computer with certain extensions. Once it has done this, it selects domain names from the addresses it has collected and uses them as search words in Google, Altavista, Yahoo and Lycos. Finally, Mydoom.AO sends itself out to all addresses it finds.

Mydoom.AO is difficult to recognize, as it does not display any messages or warnings indicating it has reached the computer, according to PandaLabs.

"Virus creators are finding Internet search engines a powerful tool for rapidly spreading malicious code," says Luis Corrons, director of PandaLabs. "This tactic effectively multiplies the propagation capacity of a malicious code, and it is therefore likely that we will see more of the same."

[TomServo]

Word of warning folks. And please - none of the OS/Browser war crap, OK?

[billorites]

Us Kapro users don't have these problems.

[anonymoussierra]

Thank you

[clyde asbury]

Any suggestions for those who may have caught it?

[GaltMeister]

A Kaypro! CP/M will rule the world someday!

Hey, at least CP/M users don't have to worry about these pesky Internet problems. :o)

[wolfpat]

Reformat.

[Tannerone]

I have JAVA.EXE on my system as follows:
---\program files\java\-- (3 ea)

---\system32\java.exe (1 ea)

I believe this has been on my "putter" for some time.

Thus, is this warning a hoax?

[billorites]

"Hey, at least CP/M users don't have to worry about these pesky Internet problems. :o)"

I spent over fourteen years on line using CP/M (BBS, Compuserve, etc.) before I ever made the leap to the WWW.

[decimon]

You still have to open an email attachment to be infected, right?

[boxerblues]

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html

When W32.Mydoom.AX@mm is executed, it performs the following actions:



Creates the following files:


%Windir%\java.exe
%Windir%\services.exe (this is a Trojan horse detected as Backdoor.Zincite.A)

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Adds the values:

"JavaVM" = "%Winir%\java.exe "
"Services" = "%Windir%\services.exe"

to one of the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

[LasVegasMac]

You still have to open an email attachment to be infected, right?

No.

Even thinking about it will trigger it!

just kidding....

LVM

[Disambiguator]

Thank you for correcting the error in the article. MyDoomAO has been around since the end of January. The AX variant was discovered today. Another example of sloppy reporting!

This is yet another email attachment virus, so if people were more careful about attachments these things wouldn't propagate so quickly. We just block any potentially harmful content at our gateway (not necessarily an option for home users, though).

[Johnny Crab]

New pest info:

http://www.datafellows.com/v-descs/mydoom_bb.shtml

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB

http://www.us-cert.gov/other_sources/viruses.html#III

If you already got it, cleanup when your virus software supplier releases a "patch". A disconnected USB hard drive that contains your vital files(backed up regularly) can be very useful if a nasty one starts munching on your PC.

[Ol' Dan Tucker]

Exactly. I got soooo tired of viruses, that I went back to my old Atari 800.

[Redcloak]

I have my backup system primed and ready...

[camas]

when they catch the guy that starts the worm they should give him life with no computer.

[decimon]

No.

Even thinking about it will trigger it!

Ooooohm!

Ooooohm!

[Paleo Conservative]

What web browser do you use?

[RadioAstronomer]

Hey, at least CP/M users don't have to worry about these pesky Internet problems

LOL! We hooked up a PDP-8 with an ASR-33 Teletype to the internet (used a unix box as an interface) just to see if we could do it. :-)

Was weird typing on the Teletype to navigate the net.

[Swordmaker]

I decided to revert to a guaranteed no-virus computer: