02/25/04 -Mydoom.f only infects systems running Microsoft Windows.
If you think that you may be infected with Mydoom, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address. |
The mailing component harvests address from the local system. Files with the following extensions are targeted:
adb
asp
dbx
eml
hp
htm
mbx
mht
mmf
msg
nch
ods
oft
pl
rtf
sht
tbb
txt
uin
vbs
wab
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message. The worm avoids certain address, those using the following strings:
.gov
.mil
acketst
arin.
avp
berkeley
borlan
bsd
essagela
example
fido
foo.
fsf.
gnu
mit.e
google
gov.
hotmail
iana
ibm.com
icrosof
ietf
inpris
irix
isc.o
isi.e
kernel
linux
msn.
math
mozilla
mydoma
nai.co
nodoma
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sgi.com
slashdot
solaris
sopho
sourcef
sun.com
suppo
syma
tanford.e
unix
usenet
utgers.ed
Additionally, the worm contains strings which is uses to prepend to the harvested domain names: alex
billsmith
james
jerry
jim
john
sam
Removal Instructions can be found on this page.
http://vil.nai.com/vil/content/v_101038.htm Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger
More info on this worm:
http://vil.nai.com/vil/content/v_101038.htm
|
