Date: 27 July 2004
References: ESB-2004.0513
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AusCERT Update AU-2004.010 - High levels of activity due to MyDoom.M/O
variants
27 July 2004
AusCERT has been informed of high levels of activity due to the MyDoom
variants known as: Mydoom.M (Symantec[1], Panda[2], TrendMicro[3], F-Secure[4])
or MyDoom.O (McAfee[5], CA[6], Sophos[7]).
MyDoom.M/O is a mass-mailing virus which masquerades as variety of mail
delivery and virus infection error messages designed to entice a user to run a
malicious attachement. It also spreads through peer-to-peer (P2P) file sharing
programs. Details of this email message include:
SUBJECT:
click me baby, one more time
hello
hi error
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The original message was included as attachment
ATTACHMENT NAME:
readme
instruction
transcript
mail
letter
file
text
attachment
document
message
ATTACHMENT EXTENSION:
cmd
bat
com
exe
pif
scr
zip
MESSAGE BODY:
There are several different possible message bodies, all of which may contain
additional minor variations. An example is (where <domain> is replaced with
the recipients domain):
Dear user of <domain>,
Your account was used to send a large amount of spam messages during the last
week.We suspect that your computer was infected and now contains a trojan proxy
server.
Please follow the instructions in the attached text file in order to keep your
computer safe.
Sincerely yours,
The <domain> support team.
Upon execution, the worm copies itself to the system's hard drive, as a file
named java.exe or services.exe in the Windows installation folder. It also
adds a registry key to enable automatic start up at boot time. Additionally,
TCP ports 1034 or 1042 is opened as a backdoor on the infected computer.
The original AusCERT Alert regarding MyDoom[8] was issued on the 27 January
2004:
AL-2004.02 -- AUSCERT ALERT -- Email worm W32/Mydoom@MM (W32.Novarg.A@mm)
http://www.auscert.org.au/3785
AusCERT recommends upgrading all anti-virus software to use the latest
definition files as soon as they become available. See the anti-virus vendor
links for removal instructions and tools.
Users should remain aware of the danger of opening unsolicited email
attachments.
REFERENCES:
[1] http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html
[2] http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=49861
[3] http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M
[4] http://www.f-secure.com/v-descs/mydoom_m.shtml
[5] http://vil.nai.com/vil/content/v_127033.htm
[6] http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39711
[7] http://www.sophos.com/virusinfo/analyses/w32mydoomo.html
[8] http://www.auscert.org.au/3785
Regards,
The AusCERT Team
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQQXgNyh9+71yA2DNAQL91wP/enR86Oup4JXSWiHc6Z1O9qlw1SmvUx1f
joSsW8Jx9Ilx/FyPDLQSsSkDYYrqkceZC+ZiSmcuUQcFNWqGsNDqhPETqmU6up3v
JXhJM64IQoF3SiCrtHMVFUXzuxghXAJ8WgLFOTzrK/Tecl3JJh/WsGwWYTsqCQin
+0fXHNJiGMQ=
=HyL/
-----END PGP SIGNATURE-----
|