| Name | Win32.MyDoom.e |
| Threat Level |  |
| Alias | Win32.MyDoom.e,W32/Mydoom.e@MM |
| Date | 16 February, 2004 |
| Type | Win32,Worm,Trojan |
| Damage | Create files,Send Email,Remote control |
| Platform | Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP |
| Analysis |
Win32.MyDoom.e is a mass-mailing variant of Win32.MyDoom.a which has similar capabilities. Like its original, the worm spreads via mail and the peer to peer network, listens to the same TCP ports and performs a denial of service attack.
The arriving email will have the following characteristics:
Sender: The sender of the will be spoofed (forged) by the worm.
Subject: The subject of this mail may be, but is not limited to, any of the following:
Error
hello
hi
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Message body: The message body may be, but is not limited to, any of the following:
- Mail transaction failed. Partial message is available.
- test
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary attachment.
Attached File: The filename of the attachment may vary, however the extension will be one of the following:
.bat
.cmd
.exe
.pif
.scr
Notes: The icon representing the attachment may be that associated with a simple text file.
Malicious activity
When the worm is executed by the user it does the following:
1. Copies itself to the default System folder as taskmon.exe.
2. To ensure it is executed on every startup, the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
"TaskMon" = "%sysdir%\taskmon.exe"
Note: %sysdir% refers to the default location of the System folder.
3. The worm then copies itself to the default KaZaA shared folder as the following filenames:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp
4. At this stage the worm opens listening TCP ports 3127 through 3198.
5. It may also launch a DoS (Denial of Service) attack against www.sco.com.
6. Finally, the worm will send itself to all contacts harvested from the system.
Note: Activities 4, 5 and 6 may not always work due to bugs in the worm's code and various conditions they are triggered by.
eSafe Users
A new vandal/virus update is available.
Update date: February 16, 2004
Update version: EV115-SV295
eSafe Gateway and eSafe Mail Users
Your product will be automatically updated.
You can also use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
