Mydoom.M - HIGH RISK Virus Alert

Aliases:

W32/Mydoom.o@MM, MyDoom.M, W32,Mydoom.M@MM, W32/Mydoom-O

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M

 

Yes, my firewall records at least 3 or 4 port scans each day, i suspect it could be this or some other computer virus which is scanning my ports. Luckily all my ports are stealthed by my firewall.

 

Hmmm, this mydoom M or O worm is coming in via e-mail I understood. And if inside your computer it tries to break out, which can be stopped by your firewall.
Do you have a sample logfile?

 

No gerard, i don't have a sample logfile here. What i was trying to say in the previous post is that some zombie computers, those are zombie machines which are infected with some sort of virus, i don't know what virus cos' there are so many. And, when i backtrace the port scans, i traced them to computers from other foreign countries. There is no virus on my computer here. I have many layers of defence.

But, my sygate firewall had an portscan detection alert: Somebody is scanning your computer.
Your computer's TCP ports:
1025, 6129, 3410, 1433 and 5000 have been scanned from 202.156.178.208.

And, who the heck is at 202.156.178.208? Hey, it's actually another customer using the same ISP as me! His computer must have some sort of port scanning tool on it.

 

Trend Newsletter: WORM_MYDOOM.M

WORM_MYDOOM.M is another variant of the MYDOOM worm that, like its earlier variants, spreads via email through Simple Mail Transfer Protocol (SMTP). This worm infects Windows 95, 98, ME, NT, 2000 and XP, and is currently spreading in-the-wild.

Upon execution, this worm drops a copy of itself as JAVA.EXE in the Windows folder. It then creates an auto-run registry entry that allows it to execute at every system startup.

To propagate via email, the worm harvests target email addresses from the Windows Address Book (WAB), from the Temporary Internet Files folder, and from files with the following extensions found in fixed drives:

• hlp
• tx*
• asp
• ht*
• sht*
• adb
• dbx
• wab

When it finds an email address, it obtains the domain name of that email address and queries the following search engines to search for email addresses in the same domain, thereby allowing it gather more addresses to spam:

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

The email message it sends has varying subject lines, message bodies and attachment file names, and it spoofs the sender's name (FROM field) of the email it sends, both in the email header and the envelope. It skips email addresses with domain names that contain certain strings.

This worm also has backdoor functionalities that leave the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens a port and waits for outside connections. This allows a remote attacker to control the infected machine.

If you would like to scan your computer for WORM_MYDOOM.M or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_MYDOOM.M is detected and cleaned by Trend Micro pattern file 1.947.00 and above.