W32.Mydoom@mm email worm alert @ DomainAvenue.com | Domain Name Registration and Web Hosting on IBM/Hewlett-Packard (HP) Compaq Servers running Red Hat Linux 7.x w/Apache | W32.Novarg.A@MM, WORM_Mimail.R@MM, W32.Mydoom.A, W32/Shimg, I-Worm.Novarg, Win32.Mydoom.A, Mydoom, W32/Mydoom@MM, W32/MyDoom-A

Released: January 26, 2004

Description of the W32.Mydoom@mm worm

W32.Mydoom@mm is an email worm which spreads through email and the Kazaa network. It contains a random attachment with file extensions .zip, .bat, .scr, .bat, .exe, .cmd, .pif. For detail description of format of the email attachment, please refer to table below.

From	Spoofed email addresses or even your own address
Subject	Random (may contained the following subjects) like: Test / Hi / hello / Mail Delivery System / Mail Transaction Failed / Server Report / Error / Status
Body	May contain the following message: The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Test
Attachment	File with the following extensions: .zip, .bat, .scr, .bat, .exe, .cmd, .pif

Once the attachment is extracted and run by the recipient, the worm will copy itself to the Windows system folder as "taskmon.exe" and creates a startup key in the system registry:

HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\CurrentVersion\Run
"TaskMon" = %sysdir%\taskmon.exe

and

HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Run
"TaskMon" = %sysdir%\taskmon.exe

This small program is run every time your Windows starts up. The program opens the Window's Notepad with and fill it with non-sense characters and also opens a TCP port for activating remote access capabilities. The worm also performs DDoS-attack against SCO.com. The attack is timed to perform between the 1st and 12th of February, 2004. Thereafter, it stops performing most of its routines, except for its backdoor functionalities.

Known aliases

Please note that the W32.Mydoom@mm worm is also known by other names, including W32.Novarg.A@MM, WORM_Mimail.R@MM, W32.Mydoom.A, W32/Shimg, I-Worm.Novarg, Win32.Mydoom.A, Mydoom, W32/Mydoom@MM, W32/MyDoom-A etc.

Payload of the email worm

The worm sends itself to e-mail addresses collected from local files with the following extensions: wab, adb, dbx, php, tbb, asp, sht, htm, and txt. It performs DDoS_attack specifically to SCO.com, the Kazaa (peer-to-peer file sharing application) propagation. And it sequentially open ports from 3127 to 3198 and listen for incoming back-door connections.

Look for cure

New virus definition is available from the following anti-virus vendors to detect and remove this virus. Please click on the names of the following anti-virus companies to go to their respective Web sites.

Computer Associates | F-secure | McAfee | Symantec

Note: Please follow the instruction of your Anti-virus vendor to remove the virus and repair your system.

www.

multiple names | IDNs or multilinguals

IMPORTANT! Melbourne IT imposter | .EU Registry alert | PayPal & eBay email scam