Released: January 29, 2004
Description of the W32.Mydoom.B@mm worm
W32.Mydoom.B@mm is a new variant of the W32.Mydoom@mm worm. This new worm
also spreads itself through email and the Kazaa network. It
spoofs its' sender email address and contains a random named
attachment with file extensions including .zip, .bat, .scr, .bat,
.exe, .cmd, .pif. For detail
description of format of the email attachment, please refer to table below.
| From |
Spoofed email addresses or even your own address |
| Subject |
Random (may contained the following subjects) like:
Returned mail / Delivery Error / Status / Server Report /
Mail Transaction Failed / Mail Delivery System / hello / hi
|
| Body |
May contain the following message:
sendmail daemon reported:
Error #804 occured during SMTP session. Partial message has been received.
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message contains MIME-encoded graphics and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
|
| Attachment |
File with the following extensions:
.zip, .bat, .scr, .bat, .exe, .cmd, .pif |
Once the attachment is extracted and run by the recipient, the
worm will copy itself to the Windows system folder as "explorer.exe"
and creates a startup key in the system registry:
HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\CurrentVersion\Run
"Explorer" = %sysdir%\explorer.exe
and
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Run
"Explorer" = %sysdir%\explorer.exe
The worm may also displays the following error dialog box:
or opens the Window's Notepad with nonsense characters.
The worm creates remote access capabilities by listening TCP to
port 80, 1080, 3128, 8080 or 10080. The worm also launches DDoS-attack
against both SCO.com and
Microsoft.com.
The attack will end only after March 1, 2004. Thereafter, it stops
performing most of its routines, except for its backdoor functionalities.
Known aliases
Please note that the W32.Mydoom@mm worm is also known by other names.
Including Mydoom.B, W32/Mydoom.b@MM, WORM_MYDOOM.B, Win32.Mydoom.B,
I-Worm.Mydoom.b, and W32/MyDoom-B.
Payload of the email worm
The worm sends itself to e-mail addresses collected from local files with
the following extensions: wab, adb, dbx, php, tbb, asp, sht, htm, and txt.
It performs DDoS_attack specifically to SCO.com and Microsoft.com,
the Kazaa (peer-to-peer file sharing application)
propagation. And it sequentially open ports 80, 1080, 3128 or 10080
and listen for incoming back-door connections. If anti-virus gateway
is configured to send notification messages to the sender address,
the spoofed email address is spammed. The worm then overwrites the
HOSTS file to prevent the infected machine from accessing the following
sites (including some well-known anti-virus Web sites):
ca.com,
mcafee.com,
microsoft.com,
f-secure.com,
symantec.com,
nai.com,
networkassociates.com, and
trendmicro.com.
Look for cure
New virus definition is available from the following anti-virus
vendors to detect and remove this virus. Please click on the names
of the following anti-virus companies to go to their respective
Web sites.
Computer Associates
| F-secure
| McAfee
| Symantec
Note: Please follow the instruction of your Anti-virus vendor
to remove the virus and repair your system.
Avoid the notification storm
Avoid the notification email storm caused by anti-virus gateway.
To avoid the email storm caused by anti-virus gateway generating
huge amount of notification messages, you might want to disable the
notification message to sender temporarily. This could be resumed
when the peak of the worm attack is well past.
More information
Computer Associates
| F-Secure
| McAfee
| Network Box
| Norman
| Sophos
| Symantec
| Trend Micro
| 
