high
Summary
Summary
Action- More Information
| Protection available since | 16 February 2004 04:14:10 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/MyDoom-E is a worm which spreads by email. When the infected attachment is launched, the worm harvests email addresses from address books and from files with the following extensions: wab, htm, txt, sht, php, asp, dbx, tbb, adb and pl.
W32/MyDoom-E uses randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics:
Subject lines:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]
Message texts:
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment filenames:
body
data
doc
document
file
message
readme
test
text
[random collection of characters]
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR, or ZIP.
The worm will also copy itself into the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5
W32/MyDoom-E will copy itself to the Windows system folder using the filename taskmon.exe and sets the following registry entry to point to this copy to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon
Please note that on Windows 95/98/Me, there is a legitimate file called taskmon.exe in the Windows folder.
W32/MyDoom-E will create the file shimgapi.dll in the Windows system or temp folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 3127. The DLL adds the following registry entry so that it is
run on startup:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= "<location of dll>"
Between the 1st February 2004 and 14th February 2006, the worm will attempt a denial-of-service attack on www.sco.com. After the 14th February 2006 W32/MyDoom-E will no longer spread however it will still run the backdoor component.
|
