This seems to have vanished as quickly as it appeared, but here (somewhat belatedly I might add) are the details.Sophos has been detecting W32/MyDoom-O since 15:41 GMT on 26 July 2004 and has issued this updated IDE to improve detection.
Description
W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network. When first run the worm copies itself to either the Windows or Temp folders as java.exe and adds one of the following registry entries to ensure that the copy is run each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Services
W32/MyDoom-O also creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is the backdoor component of W32/MyDoom-O
W32/MyDoom-O searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-O and the percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-O will avoid addresses which contain any of the following strings:
mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within <number> days:
Mail server <hostname> is not responding
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.
The attached file may be named similarly to the recipient's username or domain or using one of the following names:
readme
instruction
transcript
mail
letter
file
text
attachment
document
message
with an optional extension of DOC, TXT, HTM, HTML and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip file containing a file named as described above.
Topic: W32/MyDoom-O (Read 955 times)