[virusinfo] Re: Sophos Anti-Virus IDE alert: W32/MyDoom-BH

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 21 Mar 2005 09:59:06 -0800

From; Sophos Alert System:

Name: W32/MyDoom-BH
Type: Win32 worm
Date: 21 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.


Information about W32/MyDoom-BH can be found at:
http://www.sophos.com/virusinfo/analyses/w32mydoombh.html

W32/MyDoom-BH is a mass-mailing and peer-to-peer worm. 
When first run the worm will display a dialog box with the title "AVToolKitPro" 
and message of "Operation completed". The worm will then copy itself to the 
Windows system folder as debugmonitor.exe and create the following registry 
entry so as to auto-start: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DebugMonitor
%SYSTEM%\debugmonitor.exe 
The worm will also attempt to copy itself to the KaZaa share folder if it 
exists using one of the following filenames and an extension chosen from PIF, 
SCR, EXE or BAT: 
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5 
W32/MyDoom-BH will harvest email address from files on the local drives with 
the following extensions: 
WAB PL ADB TBB DBX ASP PHP SHT HTM TXT 
Emails sent by the worm are in HTML and may take the following form: 
Subject: 
Virus Alert id: <random number> 
Message text: 
You received this message as a valuable
Symantec.com member since September 23, 2003.
**********************************
WARNING! Your computer was infected by VIRUS:
Worm.SomeFool.P
You can install this utility to remove virus
***********************************
http://securityresponse.symantec.com/avcenter/FxAgentB.exe 
W32/MyDoom-BH may also attempt do download and execute components from remote 
webistes

This IDE file also includes detection for:

Troj/Multidr-CP
http://www.sophos.com/virusinfo/analyses/trojmultidrcp.html
Troj/Daemoni-K
http://www.sophos.com/virusinfo/analyses/trojdaemonik.html
Troj/Bancos-BS
http://www.sophos.com/virusinfo/analyses/trojbancosbs.html
Troj/Banker-BR
http://www.sophos.com/virusinfo/analyses/trojbankerbr.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/mydoombh.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Re: Sophos Anti-Virus IDE alert: W32/MyDoom-BH

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---