high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 14 September 2004 08:11:14 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/MyDoom-X is a worm for the Windows platform.
Sophos anti-virus products since version 3.85 have been capable of detecting this worm as W32/Mydoom-Gen without requiring an update. W32/MyDoom-X is a worm for the Windows platform.
W32/MyDoom-X is a mass mailer that also spreads by coping itself to the available shared folders.
W32/MyDoom-X spoofs the sender address on email sent by the worm.
It will use a sender name that is constructed from the predefined lists with an email address that corresponds with the used last name or a random part of one of those names with 1 or more random characters appended, at one of the following domains:
cox.net
yahoo.com
msn.com
yahoo.co.uk
t-online.de
gmx.net
hotmail.com
aol.com
mail.com
dailymail.co.uk
W32/MyDoom-X will attempt to avoid sending itself to email addresses containing any of the following strings:
'icrosof'
'borlan'
'inpris'
'example'
'mydomai'
'nodomai'
'ruslis'
'berkeley'
'ibm.com'
'kernel'
'usenet'
'rfc-ed'
'sendmail'
'acketst'
'tanford.e'
'utgers.ed'
'mozilla'
'be_loyal:'
'samples'
'postmaster'
'webmaster'
'nobody'
'nothing'
'anyone'
'someone'
'rating'
'contact'
'somebody'
'privacy'
'service'
'submit'
'gold-certs'
'the.bat'
'microsoft'
'support'
'listserv'
'certific'
'google'
'account'
The worm obtains email addresses to send itself to from files on the local hard disk.
W32/MyDoom-X copies itself to the Windows folder with the filename oz2.exe and to the Windows system folder with the filename oz11111.exe and sets the registry entries correspondingly:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\oz2
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\www.symantec.com
W32/MyDoom-X also creates the following files in the Windows system folder
\<Windows>\<system>\About_Mydoom.txt
\<Windows>\<system>\Doompic.jpg
\<Windows>\<system>\Downxz.bat
\<Windows>\<system>\log32zx.exe
\<Temp>\services.exe
where text file contains the worm info, downxz.bat is a variant of the downloader Trojan detected by the Troj/Delf-FE, log32xz.bat is a Yahoo key logger detected as Troj/Keylog-AA and services.exe is detected by the W32/MyDoom-O worm.
In order to run them automatically when Windows starts up W32/MyDoom-X creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Downxz
with the path to the downxz.bat
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows updaterD
with the path to the log32zx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services
with the path to the services.exe
W32/MyDoom-X checks for an internet connection and if www.symantec.com host is available it initiates a DDOS attack starting on 29 September 2004 at 2.00.25pm until 29 October 2004 2.00.25pm.
|
