[virusinfo] W32/MyDoom-AJ
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Sat, 09 Apr 2005 09:20:07 -0700
From; Sophos Alert System:
Name: W32/MyDoom-AJ
Type: Win32 worm
Date: 9 April 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Information about W32/MyDoom-AJ can be found at:
http://www.sophos.com/virusinfo/analyses/w32mydoomaj.html
Sophos's anti-virus products include Genotype ? detection technology, which can
proactively protect against new threats without requiring an update. Sophos
customers have been protected against W32/MyDoom-AJ (detected as
W32/MyDoom-Gen) since version 3.92
W32/MyDoom-AJ is a mass-mailing worm with IRC backdoor functionality which can
also infect computers vulnerable to the LSASS (MS04-011) exploit.
When first run the worm copies itself to the Windows system folder as
mathchk.exe and creates the following registry entries so as to auto-start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RealPlayer Ath Check=
mathchk.exe
HKLM\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe
HKLM\System\CurrentControlSet\Control\Lsa\
RealPlayer Ath Check=
mathchk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe
HKCU\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe
HKCU\System\CurrentControlSet\Control\Lsa
RealPlayer Ath Check=
mathchk.exe
The worm will attempt to harvest email addresses from files on the local hard
disk.
Emails sent by W32/MyDoom-AJ have the following characteristics:
Subject line chosen from one of the following, possibly in all uppper case or
all in lower case:
Good day
Hello
Server Report
Status
<blank>
Message text chosen from:
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as
a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
The original message was included as an attachment.
<junk>
Attached filename chosen from the following with an extension chosen from (bat
cmd exe scr pif zip):
body
data
doc
document
file
message
readme
text
This IDE file also includes detection for:
Troj/Banworm-B
http://www.sophos.com/virusinfo/analyses/trojbanwormb.html
W32/Sdbot-WU
http://www.sophos.com/virusinfo/analyses/w32sdbotwu.html
W32/Agobot-RK
http://www.sophos.com/virusinfo/analyses/w32agobotrk.html
W32/Rbot-BAS
http://www.sophos.com/virusinfo/analyses/w32rbotbas.html
Troj/Delf-RX
http://www.sophos.com/virusinfo/analyses/trojdelfrx.html
Troj/SmDldr-A
http://www.sophos.com/virusinfo/analyses/trojsmdldra.html
Troj/Dlsw-A
http://www.sophos.com/virusinfo/analyses/trojdlswa.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/mydoomaj.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/MyDoom-AJ
