Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Mydoom.s@MM

08/16/04 - W32/Mydoom.s@MM

This virus is received in an email message as follows:

Subject : photos
Body : LOL!;))))
Attachment : photos_arc.exe

When the attachment is run, the virus copies itself to the WINDOWS (%WinDir%) directory as rasor38a.dll , and to the SYSTEM (%SysDir%) directory as winpsd.exe .

The virus creates the following registry key values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "winpsd" = C:\WINDOWS\System32\winpsd.exe

The virus downloads a backdoor component from 2 different websites:

www.richcolour.com
zenandjuice.com

The backdoor component is detected as BackDoor-CHR with the specified DAT files.

Symptoms
Presence of the file rasor38a.dll and winpsd.exe.

Method Of Infection
This virus spreads via email. Victims must manually chose to execute the infected attachment. Once running, the virus harvests addresses from files containing the following extensions:

adb
asp
dbx
htm
php
pl
sht
tbb
txt
wab
Addresses obtained are sent the virus.

More info on this worm:
http://vil.nai.com/vil/content/v_127616.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_127616.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top