MyDoom mutant attacks Microsoft and RIAA

By Robert Jaques [25-02-2004]
Medium-risk mass-mailing worm attempts Denial of Service hit on industry giants

Security experts have discovered another version of the MyDoom virus.
The recently discovered W32/MyDoom.f@mm, also known as MyDoom.F, was classified as a medium risk by McAfee's Anti-Virus and Vulnerability Emergency Response Team (Avert) division yesterday.

MyDoom.F is similar to previous MyDoom variants in that it contains its own SMTP engine for building and sending messages.

It attempts to perform a Denial of Service (DoS) attack against the Microsoft and RIAA websites, and contains a malicious payload that deletes files on infected PCs.

According to Avert, the virus has been found in as many as 60 companies throughout Asia Pacific, Canada, Europe, Japan, Latin America and the US.

The virus is a mass-mailing worm that tries to spread via email and by copying itself to the Windows System directory using random filenames.

"After being executed, MyDoom.F emails itself out as an attachment with a random filename. The worm makes copies of itself as .zip archives or .exe in different directories on the local hard disk and mapped drives," warned Avert.

"MyDoom.F opens a connection on TCP port 1080 and opens a list of other ports, ranging from 3000-5000, suggesting remote access capabilities. The worm also appears to carry out a DoS attack on the websites www.microsoft.com and www.riaa.com."

Further details about MyDoom.F and instructions for its removal can be found here.http://vil.nai.com/vil/content/v_101038.htm

http://www.vnunet.com/News/1153026