[an error occurred while processing this directive]
[an error occurred while processing this directive]
Released: January 26, 2004

Description of the W32.Mydoom@mm worm

W32.Mydoom@mm is an email worm which spreads through email and the Kazaa network. It contains a random attachment with file extensions .zip, .bat, .scr, .bat, .exe, .cmd, .pif. For detail description of format of the email attachment, please refer to table below.

From Spoofed email addresses or even your own address
Subject Random (may contained the following subjects) like: Test / Hi / hello / Mail Delivery System / Mail Transaction Failed / Server Report / Error / Status
Body May contain the following message:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The message contains Unicode characters and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

Test

Attachment File with the following extensions:
.zip, .bat, .scr, .bat, .exe, .cmd, .pif

Once the attachment is extracted and run by the recipient, the worm will copy itself to the Windows system folder as "taskmon.exe" and creates a startup key in the system registry:

HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\CurrentVersion\Run
"TaskMon" = %sysdir%\taskmon.exe


and

HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Run
"TaskMon" = %sysdir%\taskmon.exe

This small program is run every time your Windows starts up. The program opens the Window's Notepad with and fill it with non-sense characters and also opens a TCP port for activating remote access capabilities. The worm also performs DDoS-attack against SCO.com. The attack is timed to perform between the 1st and 12th of February, 2004. Thereafter, it stops performing most of its routines, except for its backdoor functionalities.

Known aliases

Please note that the W32.Mydoom@mm worm is also known by other names, including W32.Novarg.A@MM, WORM_Mimail.R@MM, W32.Mydoom.A, W32/Shimg, I-Worm.Novarg, Win32.Mydoom.A, Mydoom, W32/Mydoom@MM, W32/MyDoom-A etc.

Payload of the email worm

The worm sends itself to e-mail addresses collected from local files with the following extensions: wab, adb, dbx, php, tbb, asp, sht, htm, and txt. It performs DDoS_attack specifically to SCO.com, the Kazaa (peer-to-peer file sharing application) propagation. And it sequentially open ports from 3127 to 3198 and listen for incoming back-door connections.

Look for cure

New virus definition is available from the following anti-virus vendors to detect and remove this virus. Please click on the names of the following anti-virus companies to go to their respective Web sites.

Computer Associates | F-secure | McAfee | Symantec

Note: Please follow the instruction of your Anti-virus vendor to remove the virus and repair your system.

More information

Computer Associates | F-Secure | McAfee | Network Box | Norman | Sophos | Symantec | Trend Micro



[an error occurred while processing this directive]

[an error occurred while processing this directive]