Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Windows worm weaves its way with search engines
Silicon Valley/San Jose Business Journal ^ | 2/17.05 | American City Business Journals Inc.

Posted on 02/17/2005 3:06:25 PM PST by TomServo

Windows worm weaves its way with search engines A new worm that uses Internet search engines to spread rapidly was detected Thursday, according to antivirus software maker Panda Software, a private company based in Bilbao, Spain, which operates in the U.S. as PandaLabs of Glendale, in Southern California.

Called "MydoomAO," the worm uses Mountain View-based Google (NASDAQ: GOOG), Altavista, Sunnyvale-based Yahoo (NASDAQ: YHOO) and Lycos to search for e-mail addresses to which to send itself. In order to trick users, the worm pretends to be a mail delivery error message.

In this way, a single infected computer can distribute thousands of copies of the worm in just a few minutes, PandaLabs says. This means that probability of a Windows-based computer becoming infected by the Mydoom.AO worm is high.

The worm affects computers running Windows 2003/XP/2000/NT only, according to PandaLabs.

If a user becomes infected by the worm, it creates a copy of itself under the name JAVA.EXE and searches for e-mail addresses in the Windows address book, Internet temporary files, and in files on the computer with certain extensions. Once it has done this, it selects domain names from the addresses it has collected and uses them as search words in Google, Altavista, Yahoo and Lycos. Finally, Mydoom.AO sends itself out to all addresses it finds.

Mydoom.AO is difficult to recognize, as it does not display any messages or warnings indicating it has reached the computer, according to PandaLabs.

"Virus creators are finding Internet search engines a powerful tool for rapidly spreading malicious code," says Luis Corrons, director of PandaLabs. "This tactic effectively multiplies the propagation capacity of a malicious code, and it is therefore likely that we will see more of the same."


TOPICS: Crime/Corruption; Miscellaneous; News/Current Events; Technical
KEYWORDS: computersecurity; exploit; internetexploiter; lookoutexpress; lowqualitycrap; microsoft; securityflaw; trojan; windows; worm; worms
Navigation: use the links below to view more comments.
first 1-2021-36 next last
Word of warning folks. And please - none of the OS/Browser war crap, OK?
1 posted on 02/17/2005 3:06:26 PM PST by TomServo
[ Post Reply | Private Reply | View Replies]

To: TomServo

Us Kapro users don't have these problems.

2 posted on 02/17/2005 3:11:31 PM PST by billorites (freepo ergo sum)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TomServo

Thank you


3 posted on 02/17/2005 3:14:26 PM PST by anonymoussierra (Alles wurde durch dasselbe! revelatur enim ira Dei de caelo)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TomServo
Any suggestions for those who may have caught it?
4 posted on 02/17/2005 3:22:29 PM PST by clyde asbury (Genesis ch. 1 v. 32)
[ Post Reply | Private Reply | To 1 | View Replies]

To: billorites

A Kaypro! CP/M will rule the world someday!

Hey, at least CP/M users don't have to worry about these pesky Internet problems. :o)


5 posted on 02/17/2005 3:26:14 PM PST by GaltMeister (The only time a Democrat should be allowed in the White House is to visit the President.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: clyde asbury
Reformat.
6 posted on 02/17/2005 3:27:57 PM PST by wolfpat (Dum vivimus, vivamus)
[ Post Reply | Private Reply | To 4 | View Replies]

To: TomServo
I have JAVA.EXE on my system as follows:
---\program files\java\-- (3 ea)

---\system32\java.exe (1 ea)

I believe this has been on my "putter" for some time.

Thus, is this warning a hoax?
7 posted on 02/17/2005 3:29:30 PM PST by Tannerone
[ Post Reply | Private Reply | To 1 | View Replies]

To: GaltMeister
"Hey, at least CP/M users don't have to worry about these pesky Internet problems. :o)"

I spent over fourteen years on line using CP/M (BBS, Compuserve, etc.) before I ever made the leap to the WWW.

8 posted on 02/17/2005 3:29:39 PM PST by billorites (freepo ergo sum)
[ Post Reply | Private Reply | To 5 | View Replies]

To: TomServo

You still have to open an email attachment to be infected, right?


9 posted on 02/17/2005 3:33:08 PM PST by decimon
[ Post Reply | Private Reply | To 1 | View Replies]

To: Tannerone

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html

When W32.Mydoom.AX@mm is executed, it performs the following actions:



Creates the following files:


%Windir%\java.exe
%Windir%\services.exe (this is a Trojan horse detected as Backdoor.Zincite.A)

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Adds the values:

"JavaVM" = "%Winir%\java.exe "
"Services" = "%Windir%\services.exe"

to one of the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.


10 posted on 02/17/2005 3:38:53 PM PST by boxerblues
[ Post Reply | Private Reply | To 7 | View Replies]

To: decimon
You still have to open an email attachment to be infected, right?

No.

Even thinking about it will trigger it!

just kidding....

LVM

11 posted on 02/17/2005 3:44:14 PM PST by LasVegasMac ("God. Guts. Guns. I don't call 911." (bumper sticker))
[ Post Reply | Private Reply | To 9 | View Replies]

To: boxerblues
Thank you for correcting the error in the article. MyDoomAO has been around since the end of January. The AX variant was discovered today. Another example of sloppy reporting!

This is yet another email attachment virus, so if people were more careful about attachments these things wouldn't propagate so quickly. We just block any potentially harmful content at our gateway (not necessarily an option for home users, though).

12 posted on 02/17/2005 3:46:25 PM PST by Disambiguator (Pi$$ off a liberal nanny-statist hoplophobe; buy a .50 BMG!)
[ Post Reply | Private Reply | To 10 | View Replies]

To: decimon
New pest info:

http://www.datafellows.com/v-descs/mydoom_bb.shtml

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB

http://www.us-cert.gov/other_sources/viruses.html#III

If you already got it, cleanup when your virus software supplier releases a "patch". A disconnected USB hard drive that contains your vital files(backed up regularly) can be very useful if a nasty one starts munching on your PC.

13 posted on 02/17/2005 3:53:13 PM PST by Johnny Crab (Always thankful.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: billorites
Exactly. I got soooo tired of viruses, that I went back to my old Atari 800.


14 posted on 02/17/2005 4:17:34 PM PST by Ol' Dan Tucker
[ Post Reply | Private Reply | To 2 | View Replies]

To: Ol' Dan Tucker
I have my backup system primed and ready...


15 posted on 02/17/2005 4:20:02 PM PST by Redcloak (More cleverly arranged 1's and 0's)
[ Post Reply | Private Reply | To 14 | View Replies]

To: TomServo

when they catch the guy that starts the worm they should give him life with no computer.


16 posted on 02/17/2005 4:22:03 PM PST by camas
[ Post Reply | Private Reply | To 1 | View Replies]

To: LasVegasMac
No.

Even thinking about it will trigger it!

Ooooohm!

Ooooohm!

17 posted on 02/17/2005 4:22:23 PM PST by decimon
[ Post Reply | Private Reply | To 11 | View Replies]

To: billorites

What web browser do you use?


18 posted on 02/17/2005 4:28:36 PM PST by Paleo Conservative (Hey! Hey! Ho! Ho! Andrew Heyward's got to go!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: GaltMeister
Hey, at least CP/M users don't have to worry about these pesky Internet problems

LOL! We hooked up a PDP-8 with an ASR-33 Teletype to the internet (used a unix box as an interface) just to see if we could do it. :-)

Was weird typing on the Teletype to navigate the net.

19 posted on 02/17/2005 4:30:23 PM PST by RadioAstronomer
[ Post Reply | Private Reply | To 5 | View Replies]

To: Redcloak
I decided to revert to a guaranteed no-virus computer:
20 posted on 02/17/2005 4:41:08 PM PST by Swordmaker (Tagline now open, please ring bell.)
[ Post Reply | Private Reply | To 15 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-36 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson