The technical support department of Sophos, a world leader in protecting businesses against viruses and spam, has warned users of the W32/MyDoom-A, which is spreading widely across the internet.
The My Doom worm (also known as Novarg or Mimail-R) spreads via email, using a variety of technical-sounding subject lines and attachment names. If the attached file is launched, and the worm activated, the infected computer's hard disk is harvested by the worm for more email addresses to send itself to. The worm opens a backdoor onto infected computers, which allows hackers to gain access.
"My Doom is unlike many other mass-mailing worms we have seen in the past, because it does not try to seduce users into opening the attachment by offering pictures of celebrities or private messages," said Graham Cluley, senior technology consultant for Sophos. "My Doom can pose as a technical-sounding message, claiming that the email body has been put in a attached file. Of course, if you launch that file you are potentially putting your data and computer straight into the hands of hackers."
"When the My Doom worm forwards itself via email, it can create its attachment in either Windows executable or Zip file format. It is possible the worm's author did this in an attempt to bypass company filters which try and block EXE files from reaching their users from the outside world," continued Cluley.
Network Associates announced that McAfee AVERTTM (Anti-Virus Emergency Response Team), the world-class anti-virus research division of Network Associates, assigned a high risk outbreak to the recently discovered W32/Mydoom@mm, also known as Mydoom. Mydoom is a destructive worm that spreads via email as a binary attachment-making itself appear as if the attachment is a text file. The discovery of the virus was announced today by McAfee AVERT and has been found in as many as 25 companies and seen throughout Asia Pacific, Canada, Europe, Japan, Latin America and the United States.
Mydoom is an Internet worm that once activated opens Windows Notepad and fills it with nonsense characters. The worm then tries to spread via email and by copying itself to the shared directory for Kazaa clients, if they are present. Users should immediately delete any email containing the following:
From: (Spoofed) Subject: (Random) Body of email: (Varies) Attachment: Varies, but often arrives as an exe, .PIF, .CMD or .SCR in a ZIP archive that is 22,528 bytes
After being executed, Mydoom emails itself out as an attachment with the filenames c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr, c:\WINDOWS\Desktop\Document.scr and c:\WINDOWS\SYSTEM\taskmon.exe. The icon used by the file tries to make it appear as if the attachment is a text file. Mydoom also uses a DLL that it creates in the Windows System directory c:\WINDOWS\SYSTEM\shimgapi.dll. It then creates a registry entry to hook Windows startup at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_ CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe. Mydoom opens a connection on TCP port 3127 suggesting remote access capabilities.