>From http://isc.sans.org/ Handlers Diary July 26th 2004 Updated July 26th 2004 16:04 UTC (Handler: Johannes Ullrich) * latest MyDOOM search engine use Latest MyDoom search engine use
(initial analysis. more details, and eventual corrections, will be posted as they become available) The latest version of MyDoom, which started arriving in peoples mail boxes in force today, uses search eninges to find more recipients for its message. Once the virus is started, it searched the users files for domain names. Once it spotted a domain name (e.g. '@example.com', or in 'www.example.com'), it will search various search engines for valid e-mail addresses within these domains. These search engines include Lycos, Google, Altavista, Yahoo and possibly others. Some of the search strings used: GET /default.asp?lpv=1&loc=searchhp&tab=web&query=e-mail+example.com Some search engines report performance issues. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
