From; Sophos Alert System: Name: W32/MyDoom-AJ Type: Win32 worm Date: 9 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/MyDoom-AJ can be found at: http://www.sophos.com/virusinfo/analyses/w32mydoomaj.html Sophos's anti-virus products include Genotype ? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/MyDoom-AJ (detected as W32/MyDoom-Gen) since version 3.92 W32/MyDoom-AJ is a mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the LSASS (MS04-011) exploit. When first run the worm copies itself to the Windows system folder as mathchk.exe and creates the following registry entries so as to auto-start: HKLM\Software\Microsoft\Windows\CurrentVersion\Run RealPlayer Ath Check= mathchk.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices RealPlayer Ath Check= mathchk.exe HKLM\Software\Microsoft\OLE RealPlayer Ath Check= mathchk.exe HKLM\System\CurrentControlSet\Control\Lsa\ RealPlayer Ath Check= mathchk.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run RealPlayer Ath Check= mathchk.exe HKCU\Software\Microsoft\OLE RealPlayer Ath Check= mathchk.exe HKCU\System\CurrentControlSet\Control\Lsa RealPlayer Ath Check= mathchk.exe The worm will attempt to harvest email addresses from files on the local hard disk. Emails sent by W32/MyDoom-AJ have the following characteristics: Subject line chosen from one of the following, possibly in all uppper case or all in lower case: Good day Hello Server Report Status <blank> Message text chosen from: Mail transaction failed. Partial message is available. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. The original message was included as an attachment. <junk> Attached filename chosen from the following with an extension chosen from (bat cmd exe scr pif zip): body data doc document file message readme text This IDE file also includes detection for: Troj/Banworm-B http://www.sophos.com/virusinfo/analyses/trojbanwormb.html W32/Sdbot-WU http://www.sophos.com/virusinfo/analyses/w32sdbotwu.html W32/Agobot-RK http://www.sophos.com/virusinfo/analyses/w32agobotrk.html W32/Rbot-BAS http://www.sophos.com/virusinfo/analyses/w32rbotbas.html Troj/Delf-RX http://www.sophos.com/virusinfo/analyses/trojdelfrx.html Troj/SmDldr-A http://www.sophos.com/virusinfo/analyses/trojsmdldra.html Troj/Dlsw-A http://www.sophos.com/virusinfo/analyses/trojdlswa.html Download the IDE file from: http://www.sophos.com/downloads/ide/mydoomaj.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member