[virusinfo] W32/MyDoom-BN

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Thu, 28 Apr 2005 15:28:04 -0700

From; Sophos Alert Systeme:

Name: W32/MyDoom-BN
Aliases: Email-Worm.Win32.Mydoom.as, W32/Mydoom.bn@MM virus
Type: Win32 worm
Date: 28 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/MyDoom-BN can be found at:
http://www.sophos.com/virusinfo/analyses/w32mydoombn.html

Sophos's anti-virus products include Genotype ? detection technology, which can 
proactively protect against new threats without requiring an update. Sophos 
customers have been protected against W32/MyDoom-BN (detected as 
W32/MyDoom-Gen) since version 3.85. 
W32/MyDoom-BN is a member of the W32/MyDoom family of email worms. 
As the other members of the MyDoom family W32/MyDoom-BN opens notepad to 
display the file message that contains random strings. 
As the other MyDoom worms W32/MyDoom-BN scans the filesystem and mounted shares 
for email addresses. 
The worm may listen on ports exposing a backdoor which can be made use of by 
potential attackers. 
In order to run automatically W32/MyDoom-BN copies itself to the file 
taskmon.exe in the Windows system folder and creates the following registry 
entry: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TaskMon
"<Windows system folder>\taskmon.exe" 
W32/MyDoom-BN will create email messages with one of the following subjects: 
Duvido voce me reconher =)
estou longe!!
Eu nao ti vejo a muito tempo.
Eu te amo
lembra de mim??
Oi
Oi a quanto tempo... =)
Saudades de voce!!!
Voce me reconhece?? 
The following will be the body of the email: 
Ola, a quanto tempo! Eu me mudei dai para os Estados Unidos, e faz um tempo que 
perdemos o contato e consegui seu email atraves de uma amiga sua. Vamos fazer 
assim, eu vou lhe mandar meu album de fotos se voce me reconhecer, me retorna o 
email. Quero ver se voce ainda lembra de mim. :) 
W32/MyDoom-BN will copy itself to the KaZaa share folder, if available, as one 
of the following: 
activation_crack.<ext>
icq2004-final.<ext>
office_crack.<ext>
rootkitXP.<ext>
strip-girl-2.0bdcom_patches.<ext>
winamp5.<ext> 
In the above <ext> will be one of the following at random: 
bat
cmd
exe
pif
scr
zip 
W32/MyDoom-BN will attach itself to the email with one of the following 
filenames with one of the extentions listed above: 
album
album_de_foto
eu
foto
fotografia
fotos
minhas_fotos 
W32/MyDoom-BN will avoid email addresses containing the following: 
acketst
arin.
avp
berkeley
borlan
bsd
example
fido
fsf.
gnu
google
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
syma
tanford.e
unix
usenet
utgers.ed 
Along with using email addresses found on the infected system, W32/MyDoom-BN 
may send email that looks as though it comes from one of the following domains: 
aol.com.br
bol.com.br
gmail.com
hotmail.com.br
msn.com.br
uol.com.br
yahoo.com.br 

This IDE file also includes detection for:

Troj/Ablank-V
http://www.sophos.com/virusinfo/analyses/trojablankv.html
W32/Mytob-BB
http://www.sophos.com/virusinfo/analyses/w32mytobbb.html
Troj/Lowzone-Y
http://www.sophos.com/virusinfo/analyses/trojlowzoney.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/mydoombn.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/MyDoom-BN

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---