(Another) MyDoom variant

[dynamoo]

Being reported by the Internet Storm Center (because it appears to impact on Yahoo!) - see here .

Handlers Diary August 3rd 2004
Updated August 3rd 2004 16:09 UTC (Handler: Tom Liston)
* New MyDoom In The Wild
New MyDoom On The Loose

Initial analysis (we will update as we know more):

Currently (16:00GMT), signatures are not yet available.

Targets Yahoo's people search:

http://email.people.yahoo.com:80/py/psSearch.py?

Message subjects(?):

SN: New secure mail
SN: New secure mail
Secure delivery
Secure delivery
failed transaction
failed transaction
Re: hello (Secure-Mail)
Re: hello (Secure-Mail)
Re: Extended Mail
Re: Extended Mail
Delivery Status (Secure)
Delivery Status (Secure)
Re: Server Reply
Re: Server Reply
SN: Server Status
SN: Server Status


Message body contains(?):

Automatically Secure Delivery: for
Automatically Secure Delivery: for
Mail Delivery Server System: for
Mail Delivery Server System: for
Extended secure mail message available at:
Extended secure mail message available at:
Secure Mail Server Notification: for
Secure Mail Server Notification: for
New mail secure method implement: for
New mail secure method implement: for
New policy requested by mail server to returned mail
as a secure compiled attachment (Zip).
New policy requested by mail server to returned mail
as a secure compiled attachment (Zip).
Now a new message is available as secure Zip file format.
Due to new policies on clients.
Now a new message is available as secure Zip file format.
Due to new policies on clients.
This message is available as a secure Zip file format
due to a new security policy.
This message is available as a secure Zip file format
due to a new security policy.
For security measures this message has been packed as Zip format.
This is a newly added security feature.
For security measures this message has been packed as Zip format.
This is a newly added security feature.
New policy recommends to enclose all messages as Zip format.
Your message is available in this server notice.
New policy recommends to enclose all messages as Zip format.
Your message is available in this server notice.
You have received a message that implements secure delivery technology.
Message available as a secure Zip file.
You have received a message that implements secure delivery technology.
Message available as a secure Zip file.
This message is an automatically server notice
from Administration at
This message is an automatically server notice
from Administration at
Server Notice: New security feature added. MSG:ID: 455sec86
Server Notice: New security feature added. MSG:ID: 455sec86
New feature added for security reasons
New feature added for security reasons
Automatically server notice:,
Server reply from
Automatically server notice:,
Server reply from
New service policy for security added from
New service policy for security added from


The executable contains the following names (to what purpose, we are currently unsure):
Johnson, Williams, Wilson, Taylor, Anderson, Thomas, Jackson, Parker, Hernandez, Gonzalez, Roberts, Patricia, Margaret, Elizabeth, Anthony, Daniel, Patrick, Douglas, Carlos, Sanchez, Howard, Washington, Walter, Robinson, Miguel, Jennifer, Alberto, Mathew, Taylor, Walker, Mitchell, Carter, Nelson, Brooks, Jenkins, Coleman, Flores, Griffin, Morris, Rogers, Barbara, Angela, Amanda, Pamela, Martha, Frances, Cynthia, Stephanie, Nicole, Andrea, Rebeca, Steven, Anthony, George, Michael, Isabel, Marcos, Camilo, Salomon, Esteban, Francis, Nicholas, Samuel, Angela, Catherine, Susanna, Dorothy, Elizabeth, Andrew, Philip, Hester, Edward, Martin, Gabriel, Christopher, Lawrence, Christian, Christ, Dorcas, Rowland, Cecily, Margery, Turner, Torres, Brooks, Harrison, Gibson, Pierce, Arnold, Watkins, Medina, Mendoza, Santiago, Christina, Norris, Santos, Burgess, Valdez, Barber, Patton, Ortega, Estrada, Waters, Ashlee, Parson, Sparks, Morton, Allison, Monique, Summers, Cortez, Barton, Deleon, Harrell, Navarro, Woodard, Meyers, Petersen, Vannessa, Douglas, Joanna, Judith, Bridget, Jessica, Jeffrey, Timothy, Shirley, Kimberly, Sandra, Melissa, Virginia, Dennis, Junior, Heather, Collins, Garcia, Miller, Barton, Bridget, Gillian, Ursula, Hannah, Cooper, Watson, Bennett, Sanders, Ramirez, Bailey, Murphy, Campbell, Barnes, Alexis, Samantha, Madison, Joshua, Charles, Clinton, Lincoln, Houston, Claudia, Britney, Carson, Spider, Laster, Jolley, Galvin, Alecia, Karrie, Ivette, Freeman, Hunter, Simpson, Hamilton, Knight, Mcdonald, Elliott, Bradley, Duncan, Weaver, Fields, Chapman, Kelley, Wagner, Jacobs, Stanley, Fuller, Newman, Lambert, Cummings, Leonard, Barker, Norris.

Haven't seen it yet though.

[Decieving]

The attack echoes the MyDoom-O worm's use of the Google, Yahoo, Lycos and Altavista search engines last week, which resulted in millions of users being unable to search the web using Google.

The MyDoom-Q worm arrives as an email attachment, and will scour files on the infected user's hard drive for other email addresses to which to send itself. However, it will then use the People Search facility of the Yahoo website (people.yahoo.com) to try and find additional email addresses.

"Copycat viruses are all the rage in the cybercrime underworld, so you didn't have to be psychic to predict the release of more worms trying to scoop up email addresses from search engines. Unfortunately, we expect to see other worm authors trying similar tricks in the future," said Graham Cluley, senior technology consultant for Sophos. "All internet users should do their bit to ensure they are not passing on infected files by using up-to-date anti-virus software and exercising great caution when receiving unsolicited email attachments."

With the source code so public im surprised there hasn't been heaps more versions of MyDoom.......simply by typing "MyDoom-A Source code" at google gets it the 3rd on the list with a site containing the full source......i would've thought with that there'd be a hell of a lot more myDoom varients.