News 

Email scanning company MessageLabs says it encountered 23,000 copies of MyDoom-O within the first five hours following the discovery.

Sophos too says it has received many reports of the new version. And most antivirus companies have raised the threat levels associated with the virus to the second highest.

At its peak, McAfee estimated 10,000 systems an hour were being infected. McAfee antivirus expert Jack Clark told us that MyDoom-O had peaked by now though. 'Attacks are now very brief, this variant will be dying out already,' he said.

MyDoom-O causes infected computers to continually launch search queries on a number of well-known search engines, such as Google, which became extremely sluggish around 3.30pm yesterday, with some searches resulting in an error page. And this is on technology that regularly handles 200mn searches a day.

Google said in a statement: 'The Google search engine experienced slowness for a short period of time earlier today because of the MyDoom virus, which flooded major search engines with automated searches. A small number of users and networks that have the MyDoom virus have been affected for a longer period of time.'

Earlier versions of MyDoom have targetted sites such as Microsoft and SCO - a company in the

ADVERTISEMENT

midst of a legal campaign against IBM, Novell, and users of free and open source Linux-based software - with denial of service attacks.

However, Clark said that it is not clear whether MyDoom-O was by the same hand. And despite Google being seen by some as a prime hacker target with a multi-billion dollar IPO just days away, Clark believes the flood of requests that have caused Google to falter were not a co-ordinated deliberate attack, but rather part of MyDoom's efforts to gather more email addresses. 'The denial of service attack that happened to google was not intentional, the code was in place to gather email addresses in order to speed propagation,' he said.

Many versions of MyDoom have been created since it first appeared in January this year. Antivirus companies can often protect their customers from future variations by issuing a generic virus update. One of the reasons MyDoom-O has been so successful is that the virus code was compressed in the attached file using the UPX packer. This made it significantly different enough to cause antivirus companies to issue separate updates to detect the virus, which in turn creates a window of infection - usually around seven or eight hours, but sometiimes more - between the launch of a virus and the creation and mass installation of an update.

MyDoom-O appears as an email with a short message with a spoofed 'from' address that implies it is a returned mail that was unable to be processed, or that your email address is considered to have sent out spam.

A 27,648byte file is attached as a number of formats and with a random filename. Once run, the virus copies itself locally, harvests email addresses found on the system and uses its own SMTP engine to send out infected emails.

The virus is also being referred to as MyDoom.M, I-Worm.MyDoom.M, I-Worm.MyDoom.R and W32/MyDoom.L.