Oh, the little Internet security geek inside of me is excited tonight.
The reason for this is Mydoom.M, the latest addition to the Mydoom family of mass mailing worms. Like it predecessors, it’s spreading by sending e-mails from compromised Windows computers. It also contains a backdoor that listens on port 1034/TCP.
What’s new about this worm – at least the technique is new to me – is that it’s using information from search engines to find new e-mail addresses to send itself to. Once the worm is active on the infected computer, it will start to look for domain names in user files on the local hard drive, and possibly also all mounted network drives. As soon as it finds any, it will query search engines for e-mail addresses belonging to the domain. The reports so far show that Google, Altavista, Yahoo! and Lycos are all being used by the worm. Google has actually started to block e-mail address searches to reduce the load on their servers.
The AV companies got the first reports about this worm earlier today, and it’s already spreading rapidly. F-Secure – which I’ve started to follow closely lately because of their News from the Lab weblog – already has Mydoom.M listed as a Radar Alert Level 2 threat, my guess is that they’ll raise it to a Level 1 threat within the next 24 hours. At least if it’s spreading as fast as it looks right now. F-Secure have also developed a special disinfection tool for the worm. Most of the AV companies have released updated versions of their virus definitions, make sure you synchronize your local definitions regularly to stay up-to-date.
If you managed to get infected, you should smack yourself in the face with a hammer.
I’ve heard that the chicks in Cali dig computer nerds. Life’s just too damn good.