Virus Characteristics: This variant W32/Mydoom is similar to previous variants, it bears the following characteristics: mass-mailing worm constructing messages using its own SMTP engine harvests email addresses from the victim machine spoofs the From: address contains a peer to peer propagation routine downloads the BackDoor-CEB.f trojan Trend Micro; WORM_MYDOOM.BB <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM_MYDO= OM.BB> As of February 16, 2005, 05:31 PM (GMT - 08:00, Pacific Standard Time) Trendlabs received numerous reports of new samples of the mass mailer WORM_MYDOOM.M, rapidly spreading in Singapore and in the U.S. Earlier samples of this worm are known to be compressed using UPX. However, new samples recieved by Trend Micro have been found to be compressed using MEW. These new samples are now detected as WORM_MYDOOM.BB. WORM_MYDOOM.BB is similar to WORM_MYDOOM.M in almost all aspects, save for the compression used. Like earlier variants, this worm spreads via email through SMTP (Simple Mail Transfer Protocol), gathering target recipients from the Windows Address Book, the Temporary Internet Files folder, and certain fixed drives. Notably, it skips email addresses that contain certain strings. When it finds an email address, it gets the domain name of that email address and queries the following search engines to search for email addresses in the same domain: http://search.lycos.com http://www.altavista.com http://search.yahoo.com http://www.google.com It does this to gather more and more addresses to spam. Using social engineering techniques, this worm sends out an email with a spoofed sender's name and poses as a failure delivery notification. Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files. The email message it sends has varying subjects, message bodies, and attachment file names. Apart from simply spreading via email, this worm also carries backdoor functionalities that leaves the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens TCP port 1034 and waits for outside connections. This routine virtually hands over control of the affected machine to a remote attacker. Removal; MANUAL REMOVAL INSTRUCTIONS <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM%5FMY= DOOM%2EBB&VSect=3DSn> ++ There is more on the web site. Reference; Agnitum; mydoom-o.html www.agnitum.com/news/mydoom-o.html Computer Associates: Win32.Mydoom.AU http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=3D41813 McAfee: W32/Mydoom.bb@MM http://vil.nai.com/vil/content/v_131856.htm Secunia: Mydoom.bb http://secunia.com/virus_information/15470/ Sophos; w32mydoomo http://www.sophos.com/virusinfo/analyses/w32mydoomo.html Symantec; w32.mydoom.ax@mm http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@xxxxxx= l Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see ~ http://www.mwn.ca <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> See my Anti-Virus pages <http://www3.telus.net/mikebike/mikes_virus_page.htm> <virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> A Technical Support Alliance & OWTA Charter Member -- To unsub or change your email settings: //www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/ For more info: //www.freelists.org/cgi-bin/list?list_id=pctechtalk