From; Sophos Alert Systeme: Name: W32/MyDoom-BN Aliases: Email-Worm.Win32.Mydoom.as, W32/Mydoom.bn@MM virus Type: Win32 worm Date: 28 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/MyDoom-BN can be found at: http://www.sophos.com/virusinfo/analyses/w32mydoombn.html Sophos's anti-virus products include Genotype ? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/MyDoom-BN (detected as W32/MyDoom-Gen) since version 3.85. W32/MyDoom-BN is a member of the W32/MyDoom family of email worms. As the other members of the MyDoom family W32/MyDoom-BN opens notepad to display the file message that contains random strings. As the other MyDoom worms W32/MyDoom-BN scans the filesystem and mounted shares for email addresses. The worm may listen on ports exposing a backdoor which can be made use of by potential attackers. In order to run automatically W32/MyDoom-BN copies itself to the file taskmon.exe in the Windows system folder and creates the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run TaskMon "<Windows system folder>\taskmon.exe" W32/MyDoom-BN will create email messages with one of the following subjects: Duvido voce me reconher =) estou longe!! Eu nao ti vejo a muito tempo. Eu te amo lembra de mim?? Oi Oi a quanto tempo... =) Saudades de voce!!! Voce me reconhece?? The following will be the body of the email: Ola, a quanto tempo! Eu me mudei dai para os Estados Unidos, e faz um tempo que perdemos o contato e consegui seu email atraves de uma amiga sua. Vamos fazer assim, eu vou lhe mandar meu album de fotos se voce me reconhecer, me retorna o email. Quero ver se voce ainda lembra de mim. :) W32/MyDoom-BN will copy itself to the KaZaa share folder, if available, as one of the following: activation_crack.<ext> icq2004-final.<ext> office_crack.<ext> rootkitXP.<ext> strip-girl-2.0bdcom_patches.<ext> winamp5.<ext> In the above <ext> will be one of the following at random: bat cmd exe pif scr zip W32/MyDoom-BN will attach itself to the email with one of the following filenames with one of the extentions listed above: album album_de_foto eu foto fotografia fotos minhas_fotos W32/MyDoom-BN will avoid email addresses containing the following: acketst arin. avp berkeley borlan bsd example fido fsf. gnu google iana ibm.com icrosof ietf inpris isc.o isi.e kernel linux math mit.e mozilla mydomai nodomai pgp rfc-ed ripe. ruslis secur sendmail syma tanford.e unix usenet utgers.ed Along with using email addresses found on the infected system, W32/MyDoom-BN may send email that looks as though it comes from one of the following domains: aol.com.br bol.com.br gmail.com hotmail.com.br msn.com.br uol.com.br yahoo.com.br This IDE file also includes detection for: Troj/Ablank-V http://www.sophos.com/virusinfo/analyses/trojablankv.html W32/Mytob-BB http://www.sophos.com/virusinfo/analyses/w32mytobbb.html Troj/Lowzone-Y http://www.sophos.com/virusinfo/analyses/trojlowzoney.html Download the IDE file from: http://www.sophos.com/downloads/ide/mydoombn.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member