-=PCTechTalk=- MyDoom O Virus High risk
- From: "Mike" <mikebike@xxxxxxxxx>
- To: pctechtalk@xxxxxxxxxxxxx
- Date: Wed, 16 Feb 2005 20:55:57 -0800
Virus Characteristics:
This variant W32/Mydoom is similar to previous variants,
it bears the following characteristics:
mass-mailing worm constructing messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address
contains a peer to peer propagation routine
downloads the BackDoor-CEB.f trojan
Trend Micro; WORM_MYDOOM.BB
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM_MYDO=
OM.BB>
As of February 16, 2005, 05:31 PM
(GMT - 08:00, Pacific Standard Time)
Trendlabs received numerous reports of new samples of the
mass mailer WORM_MYDOOM.M, rapidly spreading in Singapore
and in the U.S. Earlier samples of this worm are known to be
compressed using UPX. However, new samples recieved by
Trend Micro have been found to be compressed using MEW.
These new samples are now detected as WORM_MYDOOM.BB.
WORM_MYDOOM.BB is similar to WORM_MYDOOM.M
in almost all aspects, save for the compression used.
Like earlier variants, this worm spreads via email through
SMTP (Simple Mail Transfer Protocol), gathering target
recipients from the Windows Address Book, the Temporary
Internet Files folder, and certain fixed drives.
Notably, it skips email addresses that contain certain strings.
When it finds an email address, it gets the domain name of
that email address and queries the following search engines
to search for email addresses in the same domain:
http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com
It does this to gather more and more addresses to spam.
Using social engineering techniques, this worm sends out an
email with a spoofed sender's name and poses as a failure
delivery notification.
Social engineering, a propagation technique that is widely utilized
by most worm programs, invests largely on computer users' instinctive
tendency to open email messages, execute attachments that are
enticing and apparently harmless, and download and unknowingly
open attractively named files.
The email message it sends has varying subjects, message bodies,
and attachment file names.
Apart from simply spreading via email, this worm also carries backdoor
functionalities that leaves the infected machine vulnerable to remote
access. It drops a backdoor component named SERVICES.EXE in the
Windows folder, which opens TCP port 1034 and waits for outside
connections. This routine virtually hands over control of the affected
machine to a remote attacker.
Removal;
MANUAL REMOVAL INSTRUCTIONS
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM%5FMY=
DOOM%2EBB&VSect=3DSn>
++ There is more on the web site.
Reference;
Agnitum; mydoom-o.html
www.agnitum.com/news/mydoom-o.html
Computer Associates: Win32.Mydoom.AU
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=3D41813
McAfee: W32/Mydoom.bb@MM
http://vil.nai.com/vil/content/v_131856.htm
Secunia: Mydoom.bb
http://secunia.com/virus_information/15470/
Sophos; w32mydoomo
http://www.sophos.com/virusinfo/analyses/w32mydoomo.html
Symantec; w32.mydoom.ax@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@xxxxxx=
l
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see ~ http://www.mwn.ca
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
See my Anti-Virus pages
<http://www3.telus.net/mikebike/mikes_virus_page.htm>
<virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
A Technical Support Alliance & OWTA Charter Member
--
To unsub or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
For more info:
//www.freelists.org/cgi-bin/list?list_id=pctechtalk
Other related posts:
- » -=PCTechTalk=- MyDoom O Virus High risk
