Looks like there’s a new variation of W32.Mydoom loose on the net and it’s playing hell with mail servers and network latency all over. Symantec is calling it W32.Mydoom.M and McAfee is calling it W32.Mydoom.O, but regardless of what it’s called you’ll want to make sure your virus scanner is up-to-date and avoid opening any email attachments for a while. This one tries to trick you into opening it by claiming that you’re already infected and providing you with instructions for removal in the attachment. It also spoofs the FROM address in the outgoing emails so it could appear to come from someone you know. I even got one email this morning that came from me and was addressed to me. This bugger managed to fool a few folks here at work and as such our network and mail servers are running at a snail’s pace today. Not to mention my inbox is flooded with bounced mails from having my email address spoofed. It’s got everyone running around in a semi-panic and has me busy explaining repeatedly why it’s not necessarily true that your PC may be infected even if you got an email saying it is. Checking my home accounts I see that I’ve got plenty of email from infected users waiting there as well.
You can find more information about this new headache including manual removal instructions by clicking here.
Update: Looks like this new MyDoom makes use of search engines to find even more email addresses to spam.
Once the virus is started, it searched the users files for domain names. Once it spotted a domain name (e.g. ‘@example.com’, or in ‘www.example.com’), it will search various search engines for valid e-mail addresses within these domains. These search engines include Lycos, Google, Altavista, Yahoo and possibly others. Some of the search strings used:
Google and Lycos appear to have problems responding to queries as a result.
Google has been particularly hard hit with some servers returning 503 errors when you try to search. Google has been down for me for most of the day.