As a new variant of the MyDoom virus  begins spreading across the Internet, slowing search engines to a crawl in the late morning of July 26, Johannes Ullrich jumps into action.

Ullrich, CTO at the SANS Institute's Internet Storm Center (ISC) and one of 30 "handlers" who cover the storm center round the clock, is on duty this morning. He doesn't have far to go to find the virus; there are already a bunch of copies in his e-mail in-box.

He gets to work, first saving a copy of the virus code (a file called instruction.exe), and then using VMWare software, which lets you run multiple operating systems  on a single device, he executes the virus in Windows 2000 to see what it does.

By using VMWare on his SuSE Linux system, Ullrich can create an operating system sandbox that prevents permanent damage from a virus or rogue application. As soon as the VMWare session is restarted, the virtual Win 2000 session essentially is wiped out and a clean install is created. While most malicious applications use file encryption to help mask their intentions, a tool called LordPE lets Ullrich capture the program as it runs. The Ethereal  protocol analyzer lets him see what network ports the virus is using and what type of traffic it generates on a packet-by-packet basis.

Ullrich observes MyDoom-O pinging three IP addresses on Port 1034 when it activates, but the three addresses don't respond. The remote systems could be overloaded with requests from infected machines or already taken offline by other concerned parties. Another possibility is that they're decoys to send parties like ISC and anti-virus vendors on a wild goose chase.

After getting no response to its pings, the virus moves on to the business of replicating. To Ullrich's surprise, this MyDoom variant does more than cull a local Web cache for potential e-mail addresses to target, as previous variants had. It goes out and searches Google, Yahoo, Altavista and Lycos for e-mail address in a given domain (such as @nww.com). The number of search queries generated by the virus results in a denial-of-service (DoS) attack against Google (both in the U.K. and for many users in the U.S.) and also affects the performance of the other three engines, according to reporting from Keynote Systems  on the day of the attack.

MyDoom's interference with Google came on the same day the company announces an expected stock price for its upcoming IPO. But Ullrich doesn't think the virus was targeting Google. "The distributed DoS is an unintended side effect," Ullrich says. "It wouldn't use four or five search engines if it were going to try to take one down."

As Ullrich pores over access logs and code from this MyDoom variant, one might picture him sitting in a high-tech data center with rows of terminals and huge monitors. In reality, this key outpost in the global fight against Internet crime is a cluttered office in a spare bedroom of his white, two-story house in a quiet neighborhood outside Boston. SANS Institute is headquartered in Bethesda, Md.

There are two desks, one for him and one for his wife, a high-tech consultant. Ullrich's desk has a box on it that one of his two cats likes to lounge in while he works. A rack holds computer CDs and music discs from a range of artists including Enya, Bach and The Grateful Dead. A red punching bag nearby comes in handy for those really stressful days, Ullrich says.

He is the only full-time staffer among the 30 ISC handlers who span the globe and are on duty 24-7. The rest are volunteers who take turns watching over the Internet. Most have other jobs and aren't expected to be awake for their entire 24-hour shift. All the ISC handlers have technical backgrounds with varying specialties.

Ullrich's other SANS responsibilities include overseeing its Web sites. Throughout the day, Ullrich's cell phone vibrates on the desk, signaling a new text message alert from the SANS Web servers. They were getting overloaded with traffic from folks looking for MyDoom information.