A new MyDoom worm variant, [email protected], was discovered on July 26. Computers affected by the worm are used to perform queries on various search engines to harvest email addresses. According to reports, a significant number of computers were affected by the worm and as a result, affected computers caused some amount of strain on popular search engines, including Lycos, Altavista, Yahoo, and Google.
According to Symantec's analysis, the worm collects email addresses from a user's system by parsing various files such as the Outlook address book file, as well as files with common extension (.asp, .php, .pl, .dbx, and others) know n to sometimes contain email address. The worm spreads by emailing copies of itself to harvested email addresses using its own built-in SMTP engine, where the email might appear to be a mail delivery error message from a mail given server.
[email protected] tries to hide itself on an infected system by installing itself using the filenames java.exe and services.exe, both of which are placed in the Windows root directory. The java.exe file is the worm itself, while the services.exe is a backdoor Trojan program that antivirus software might detect as Zincite. The Trojan opens port 1034 for remote connections and probes IP addresses for other systems listening on port 1034.