• silicon.com
• Technology
• Security

By Munir Kotadia, 28 July 2004 08:10

NEWS The latest variant of the MyDoom worm, which was discovered on Monday, peaked after around 12 hours and by late Tuesday had already started dying out, according to antivirus companies.

The new generation, known as both MyDoom.M and MyDoom.O, brought down four popular search engines on Monday and clogged email accounts around the world. Google, Yahoo, AltaVista and Lycos all slowed to a crawl, because once the worm infects a PC, it automatically performs web searches on those search engines.

Natasha Staley, an information security analyst at MessageLabs, said the company intercepted just 599,641 messages containing MyDoom in its first 24 hours. This is less than half the number of infected messages caught during the 24 hours of the original MyDoom attack and is likely to keep falling as the week continues.

"MyDoom slowed down overnight and picked up again this morning, but more than likely it is a case of people's bedtime patterns. I don't expect to be here tomorrow saying there has been another 600,000 interceptions. It will probably tail off slightly tomorrow and there will be more significant drops throughout the week," Stanley said on Tuesday.

Security experts have been warning about the consequences of another MyDoom outbreak after the original version caused massive disruption to the internet and launched a distributed denial-of-service attack on the SCO Group that knocked the company's website offline for more than a month.

However, the latest variant of MyDoom does not appear to have launched a DDoS attack.

Jack Clark, a technology consultant at security specialist McAfee, said this version of MyDoom seems to be "nothing special" and is following the behavior expected from a typical mass-mailing worm - dying down after an initial surge.

"In the 24 hours it was discovered, MyDoom had a huge effect on the population. It had a really active period of about 12 hours, but is now starting to die out," Clark said.

Clark said that, unlike a Trojan horse distributed late last week disguised as suicide pictures of Osama bin Laden, this variant of MyDoom didn't make any original effort to persuade people to open its attachment.

But Symantec warned on Tuesday that the latest version of MyDoom could foster a 'backdoor' opportunity for hackers. Like many other new worms, MyDoom leaves behind code meant to allow future attacks on infected machines. While such openings are usually closed by antivirus applications, hackers have already created a virus, which Symantec is calling W32.Zindos.A, to exploit the MyDoom backdoor, said Dee Liebenstein, a group product manager at Symantec.

The W32.Zindos.A worm has not proliferated rapidly, however, because many people have already protected themselves against MyDoom, Liebenstein said.

Munir Kotadia writes for ZDNet UK. CNET News.com's Matt Hines and Isabelle Chan of CNET Asia also contributed to this report.