The newest version of the MyDoom worm, discovered just today, not only still creates its own SMTP engine allowing it to send e-mail from infected machine to every e-mail address it can find on the computer, but this new and “improved” MyDoom also uses the computer’s Internet connection to search for e-mail addresses on Google, Yahoo!, AltaVista, and Lycos, and sends itself out to any addresses it finds.

But wait, there’s more! This version of MyDoom, dubbed “MyDoom AO” also specifically searches the search engines for e-mail addresses within its host’s domain, sending itself to as many e-mail addresses within the host domain as it can find. For example, if the host computer sends e-mail as  joe at example.com, MyDoom looks on the search engines for as many e-mail addresses at example.com as it can find. Then…

[New Windows MyDoom Worm Searches And Destroys, continued]

W32.Mydoom.AO@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses that it finds on the compromised computer. It also propagates through file sharing networks.

The e-mail will have a variable subject and attachment name. The attachment will have a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.

Also Known As: Email-Worm.Win32.Mydoom.ak [Kaspersky Lab], W32/Mydoom.ba@MM [McAfee], WORM_MYDOOM.AY [Trend Micro]
Type: Worm
Infection Length: 34,304 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP [Symantec]