Another new version of the MyDoom worm – MyDoom-Q, similar to MyDoom-M (aka MyDoom-O), released last week, is spreading using Yahoo as part of its infection routine. It normally spreads via email, with a false sending address and a variety of different subject lines and random sentences, some of which refer to the attached Zip file that contains viral code. Once opened, this file copies itself to the Windows system directory as winlibs.exe. The executable contains a list of many common first and surnames that it puts through Yahoo's People Search function in an attempt to find more email addresses to target for infection.
Last week’s version of MyDoom also tried to exploit search engines in a similar way. The earlier version of the email worm plugged domain names into Yahoo, Google, AltaVista and Lycos search engines in an effort to find valid email addresses. This caused slowdowns and prevented many people from being able to search the web using Google, the worst affected site. However, Yahoo's People Search function appears to be responding normally despite the arrival on the scene of the Windows-menacing MyDoom-Q on 4 August.
