Who do you want to infect today?

Oh, the little Internet security geek inside of me is excited tonight.

The reason for this is Mydoom.M, the latest addition to the Mydoom family of mass mailing worms. Like it predecessors, it’s spreading by sending e-mails from compromised Windows computers. It also contains a backdoor that listens on port 1034/TCP.

What’s new about this worm - at least the technique is new to me - is that it’s using information from search engines to find new e-mail addresses to send itself to. Once the worm is active on the infected computer, it will start to look for domain names in user files on the local hard drive, and possibly also all mounted network drives. As soon as it finds any, it will query search engines for e-mail addresses belonging to the domain. The reports so far show that Google, Altavista, Yahoo! and Lycos are all being used by the worm. Google has actually started to block e-mail address searches to reduce the load on their servers.

The AV companies got the first reports about this worm earlier today, and it’s already spreading rapidly. F-Secure - which I’ve started to follow closely lately because of their News from the Lab weblog - already has Mydoom.M listed as a Radar Alert Level 2 threat, my guess is that they’ll raise it to a Level 1 threat within the next 24 hours. At least if it’s spreading as fast as it looks right now. F-Secure have also developed a special disinfection tool for the worm. Most of the AV companies have released updated versions of their virus definitions, make sure you synchronize your local definitions regularly to stay up-to-date.

If you managed to get infected, you should smack yourself in the face with a hammer.

I’ve heard that the chicks in Cali dig computer nerds. Life’s just too damn good.

Yet Another Cali es Cali Babe

Feedback

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.

Caution

It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.