high
Summary
Summary
Action- More Information
| Included in our products from | March 2004 (3.79) |
|---|---|
| Protection available since | 27 January 2004 00:31:29 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/MyDoom-A.
More Information
W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from address
books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP,
ASP, DBX, TBB, ADB and PL.
W32/MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters.
W32/MyDoom-A 'spoofs', using randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics.
Subject lines
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]
Message texts
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment filenames
body
data
doc
document
file
message
readme
test
[random collection of characters]
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.
W32/MyDoom-A is programmed to not forward itself via email if the recipient email address satisfies various conditions:
- The worm will not send itself to email addresses belonging to domains containing the following strings: acketst, arin., avp, berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o, isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai, panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma, tanford.e, unix, usenet, utgers.ed As a consequence the worm does not forward itself to a number of email domains, including several anti-virus companies and Microsoft.
- The worm will not send itself to email addresses in which the username contains the following strings: abuse, anyone, bugs, ca, contact, feste, gold-certs, help, info, me, no, noone, nobody, not, nothing, page, postmaster, privacy, rating, root, samples, secur, service, site, spm, soft, somebody, someone, submit, the.bat, webmaster, you, your, www
- The worm will not send itself to email addresses which contain the the following strings: admin, accoun, bsd, certific, google, icrosoft, linux, listserv, ntivi, spam, support, unix
The worm can also copy itself into the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5
Further reading: MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack
W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from address
books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP,
ASP, DBX, TBB, ADB and PL.
W32/MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters.
W32/MyDoom-A 'spoofs', using randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics.
Subject lines
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]
Message texts
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment filenames
body
data
doc
document
file
message
readme
test
[random collection of characters]
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.
W32/MyDoom-A is programmed to not forward itself via email if the recipient email address satisfies various conditions:
- The worm will not send itself to email addresses belonging to domains containing the following strings: acketst, arin., avp, berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o, isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai, panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma, tanford.e, unix, usenet, utgers.ed As a consequence the worm does not forward itself to a number of email domains, including several anti-virus companies and Microsoft.
- The worm will not send itself to email addresses in which the username contains the following strings: abuse, anyone, bugs, ca, contact, feste, gold-certs, help, info, me, no, noone, nobody, not, nothing, page, postmaster, privacy, rating, root, samples, secur, service, site, spm, soft, somebody, someone, submit, the.bat, webmaster, you, your, www
- The worm will not send itself to email addresses which contain the the following strings: admin, accoun, bsd, certific, google, icrosoft, linux, listserv, ntivi, spam, support, unix
The worm can also copy itself into the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5
W32/MyDoom-A creates a file called taskmon.exe in the system or temp folder and adds the following registry entry to run this file every time Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe
Please note that on Windows 95/98/Me, there is a legitimate file called taskmon.exe in the Windows folder.
W32/MyDoom-A also drops a file named shimgapi.dll to the temp or system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 3127. The DLL adds the following registry entry so that it is run on startup:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= "<location of dll>"
The worm will also add the following entries to the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
Between the 1st and 12th February 2004, the worm will attempt a denial-of-service attempt to www.sco.com, sending numerous GET requests to the web server.
After the 12th February W32/MyDoom-A will no longer spread, due to an expiry date set in the code. It will, however, still run the backdoor component.
Further reading: MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack
|
