When security experts first detected a mass-mailing worm that uses Yahoo's People Search engine to harvest email addresses, they assumed it was a new variant of MyDoom, which a week earlier had attacked a number of search engines for the same purpose.
However, after a detailed inspection of the worm's code, researchers have realised the code is not a new MyDoom variant, but a variant of another worm called Evaman.
Mikko Hyppönen, director of antivirus research at F-Secure, said one antivirus firm named the worm MyDoom and the other companies followed its lead. But after further examination, researchers found the worm was not a MyDoom variant.
"It is a pretty confusing situation right now. There are similarities in the operation of the virus and in the code. Everybody used the same name until somebody really paid attention and noticed it should be part of the Evaman family. But we do think they are coming from the same source or parties close to each other," Hyppönen said.
David Emm, senior technical consultant at Kaspersky Labs, explained that researchers follow certain guidelines when naming malware, but he said their first priority is to produce a detection signature, not conduct a detailed analysis. It then becomes difficult to rename the malware because that confuses everyone who's trying to defend their networks against a specific attack.
"When a new virus turns up, the researchers are keen to build a detection for it. If you back-step from the original name, you have a problem where people say 'you used to detect this and now you don't', so it can be a bit of a nightmare for the outside world as well as for antivirus vendors," said Emm.
Hyppönen agreed that changing the name was not a good idea and wasn't sure if F-secure would do so.
"We haven't changed the name, yet. We might do, but are still calling it MyDoom for now," said Hyppönen.
The close similarity between the worms strengthened researchers' conviction that both worm families are being developed by the same author or group of authors.