Mydoom.AO Virus - Targets search engines for email addresses

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, February 17, 2005 - PandaLabs has detected the appearance of a new
worm that uses Internet search engines to spread rapidly: Mydoom.AO. This
worm uses Google, Altavista, Yahoo and Lycos to search for email addresses
to which to send itself. In this way, a single infected computer can
distribute thousands of copies of the worm in just a few minutes. This means
that probability of a computer becoming infected by the Mydoom.AO worm is
high.

Panda Software clients that already have TruPrevent(TM) Technologies to
protect against unknown viruses and intruders, have had preventive
protection against Mydoom.AO from the moment it first appeared as they are
able to detect and block this threat without needing to have identified it
previously (more information about the new TruPrevent(TM) Technologies at
http://www.pandasoftware.com/truprevent).

Mydoom.AO uses so-called 'social engineering' to try to trick users, as the
email messages it spreads in appear to be mail delivery error messages,
these include: Message could not be delivered, Mail System Error - Returned
Mail, or Delivery reports about your e-mail.

The message text itself is also variable. One example is:

Your message (was not|could not be) delivered because the destination
(computer|server) was (not|un)reachable within the allowed queue period. The
amount of time a message is queued before it is returned depends on local
configura-tion parameters (the text in brackets is variable).

The name of the attached file that actually contains the worm is chosen at
random and has one of the following extensions: ZIP, COM, SCR, EXE, PIF, BAT
or CMD.

If a user becomes infected by the worm, it creates a copy of itself under
the name JAVA.EXE and searches for email addresses in the Windows address
book, Internet temporary files, and in files on the computer with certain
extensions. Once it has done this, it selects domain names from the
addresses it has collected and uses them as search words in Google,
Altavista, Yahoo and Lycos. Finally, Mydoom.AO sends itself out to all
addresses it finds.

The worm also creates several Windows registry entries to ensure it is run
on every system start up.

According to Luis Corrons, director of PandaLabs: "Virus creators are
finding Internet search engines a powerful tool for rapidly spreading
malicious code. Mydoom.N was the first to use this strategy, and this new
worm is following in its footsteps. This tactic effectively multiplies the
propagation capacity of a malicious code, and it is therefore likely that we
will see more of the same".

Given the likelihood of incidents involving Mydoom.AO, Panda Software
advises users to act with caution and update their antivirus software. Panda
Software clients already have the corresponding updates to detect and
disinfect this new malicious code.