high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | June 2005 (3.94) |
| Protection available since | 9 April 2005 15:39:12 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
If you are running Sophos Anti-Virus for Windows, version 6.0, you should follow our instructions for removing worms.
If you use any of our other products for Windows NT/2000/XP/2003 and Windows 95/98/Me please read the instructions for removing W32/MyDoom-AJ.
More Information
W32/MyDoom-AJ is a mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the LSASS (MS04-011) exploit.
Emails sent by W32/MyDoom-AJ have the following characteristics:
Subject line chosen from one of the following, possibly in all uppper case or all in lower case:
Good day
Hello
Server Report
Status
<blank>
Message text chosen from:
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
The original message was included as an attachment.
<junk>
Attached filename chosen from the following with an extension chosen from (bat cmd exe scr pif zip):
body
data
doc
document
file
message
readme
text
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/MyDoom-AJ (detected as W32/MyDoom-Gen) since version 3.92 Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/MyDoom-AJ (detected as W32/MyDoom-Gen) since version 3.92
W32/MyDoom-AJ is a mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the LSASS (MS04-011) exploit.
When first run the worm copies itself to the Windows system folder as mathchk.exe and creates the following registry entries so as to auto-start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RealPlayer Ath Check=
mathchk.exe
HKLM\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe
HKLM\System\CurrentControlSet\Control\Lsa\
RealPlayer Ath Check=
mathchk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe
HKCU\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe
HKCU\System\CurrentControlSet\Control\Lsa
RealPlayer Ath Check=
mathchk.exe
The worm will attempt to harvest email addresses from files on the local hard disk.
Emails sent by W32/MyDoom-AJ have the following characteristics:
Subject line chosen from one of the following, possibly in all uppper case or all in lower case:
Good day
Hello
Server Report
Status
<blank>
Message text chosen from:
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
The original message was included as an attachment.
<junk>
Attached filename chosen from the following with an extension chosen from (bat cmd exe scr pif zip):
body
data
doc
document
file
message
readme
text
|
