A new version of the MyDoom computer virus targeted to attack Internet search engines spread so quickly Monday morning that some Web surfers received error messages when attempting to use Google.
The timing of the news was bad for Google, which on Monday of its planned initial public offering. The firm will try to raise up to $3.3 billion in the stock offering.
The new virus also hit the Yahoo, Altavista, and Lycos search engines, according to antivirus firm McAfee.
"It's fascinating. We've never seen (a virus) do this before," said Graham Cluley, senior technology consultant at antivirus firm Sophos.
By Monday evening, spread of the worm had slowed considerably, according to McAfee spokesman Craig Schmugar. The Google search engine also appeared to have returned to normal by midday PT on Monday.
"It's a little early to tell, but it appears we are past the worst of it," Schmugar said.
The attack employed a new technique designed to spread the worm as quickly as possible. It's customary for computer viruses to search an infected computer for e-mail addresses, then send itself to those e-mail addresses in an attempt to spread quickly.
The new version of MyDoom goes one step farther: for each domain name it finds on an infected computer, it generates a Google search, then lifts e-mail addresses out of the results. Infected computers regularly have about 1,000 e-mail addresses on them, said McAfee's Brian Mann -- so each infection can generate as many as 1,000 queries to Google.
"This is a very innovate approach to getting more e-mail addresses," said Alan Paller, a spokesman for the computer security training firm the SANS Institute. Researchers there say the virus' main goal is to collect valid e-mail addresses for spammers.
McAfee received over 100 submissions of the virus during a 90-minute period Monday morning, a rate Mann called "astronomical." Google is being hit with millions of additional queries, he said.
Google, in a statement, conceded that it experienced worm-related problems.
The site "experienced slowness for a short period of time early today because of the MyDoom virus, which flooded major search engines with automated searches," the statement read. "A small percentage of our users and networks that have the MyDoom virus have been affected for a longer period of time. At no point was the Google website significantly impaired."
Yahoo spokeswoman Stephanie Ichinose said some Yahoo users may have noticed a slight slowdown at the site early Monday because of the worm, but by midday, the site was operating normally.
While the virus is designed to generate queries to all four search engines, it is weighted heavily toward Google. The virus chooses to query Google 45 percent of the time, Cluley said; it hits Lycos 22.5 percent of the time, Yahoo 20 percent and Altavista, 12.5 percent.
"Perhaps this explains why Google is experiencing more problems than the other three," he said.
Symantec Corp. gave the virus a threat level of 4 on a scale of 1 to 5. Spokesman Oliver Friedrichs said his firm had received 250 submissions of the worm in the first few hours.
"There is definitely widespread infection," he said.
There were multiple reports that some Internet surfers were receiving error messages when they tried to perform Google searches. Others reported Google was operating normally.
Keynote Systems Inc., which measures Internet performance, said initial data suggests the virus outbreak slightly slowed overall Net performance. Average Web site response time dropped a few percentage points, said Lloyd Taylor, vice president of technology and operations at Keynote. He said the first signs of trouble appeared at about 9:30 a.m. ET, when Altavista's home page began to sputter a little.
Throughout the attack, Google's home page continued to perform normally, he said. Only users who executed a search would have noticed a slowdown or seen an error message, according to Taylor. While Google's simple home page had no trouble handling the extra traffic, the number of queries by virus-infected computers overwhelmed the site's ability to answer search requests.
The new virus is yet another version of MyDoom, which initially appeared in January, and infected hundreds of thousands of computers.
The new version of the worm arrives with a simple message, such as a error message purporting to be from the recipient's system administrator.