Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Mydoom.o@MM

08/10/04 - W32/Mydoom.o@MM spreads via e-mail. It follows the routine below:

This new variant of W32/Mydoom is packed with UPX. Similarly to previous variants, it bears the following characteristics:

  • mass-mailing worm constructing messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address
  • contains a peer to peer propagation routine

Mail Propagation

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:

  • mailer-daemon@(target_domain)
  • noreply@(target_domain)
The following display names are used in this case:
  • "Automatic Email Delivery Software"
  • "Bounced mail"
  • "MAILER-DAEMON"
  • "Mail Administrator"
  • "Mail Delivery Subsystem"
  • "Post Office"
  • "Returned mail"
  • "The Post Office"

Subject:
The following subjects are used:

  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error

Body:
The virus constructs messages from pools of strings it carries in its body. For example:

Attachment:
The attachment may be an EXE file with one of the following extensions:

EXE
COM
SCR
PIF
BAT
CMD
It may also be a copy of the worm within a ZIP file (may be doubly ZIPped). In this case the extension is:

ZIP
The attachment may use the target email address name as the filename, in addition to the following:

README
INSTRUCTION
TRANSCRIPT
MAIL
LETTER
FILE
TEXT
ATTACHMENT
DOCUMENT
MESSAGE

The attachment may use a double extension, and there may be multiple spaces inserted between the file extensions to deceive users.

More info on this worm:
http://vil.nai.com/vil/content/v_127033.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_127033.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top