WORM_MIMAIL.R

Virus type: Worm

Destructive: No

Aliases: W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm

Description:

A new variant of the MIMAIL worm has been found in the wild. As of January 26, 2004 1:47 PM (US Pacific Time), TrendLabs has declared a yellow alert to control the spread of WORM_MIMAIL.R.

This mass-mailing worm has the ability of generating random email subjects, message bodies and attachment file names. This worm also has backdoor capabilities.

It runs on Windows 98, ME, NT, 2000 and XP.


Please note that TrendLabs is working to provide a more in depth analysis of this malware. Please refer to the Technical Details section for more information about this malware.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R

 

TrendMicro Newsletter: WORM_MYDOOM.A

WORM_MYDOOM.A is a mass-mailing worm that is currently circulating in-the-wild, and affects computers running Windows 95, 98, ME, NT, 2000, and XP.

This worm selects from a pre-determined list of email subjects, message bodies, and attachment file names that it uses for the email messages it sends. It spoofs the sender name of its messages, so that the messages appear to have been sent by different users instead of the actual users of infected machines. WORM_MYDOOM.A also propagates through the Kazaa peer-to-peer file-sharing network.

WORM_MYDOOM.A performs a denial of service (DoS) attack against the Web site www.sco.com. It attacks the site if the infected computer system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004. It also runs a backdoor component, which it drops as the file SHIMGAPI.DLL. This backdoor component allows remote users to access and manipulate infected systems. Note that it allows remote access even after February 12, 2004.

Upon execution, this worm drops two files:

SHIMGAPI.DLL - a backdoor DLL component of this worm
TASKMON.EXE - a copy of this worm (Note: A legitimate Windows utility with the same file name can be found in the Windows folder on some systems)

It also adds a registry entry that allows it to automatically execute at every Windows startup. If the registry entry already exists, the worm overwrites the entry. It also adds a registry entry that allows its backdoor DLL file component to automatically execute at startup. This registry entry injects SHIMGAPI.DLL into EXPLORER.EXE during startup.

This worm uses Simple Mail Transfer Protocol (SMTP) to send email and to propagate. It gathers recipient email addresses using the following three methods:

1. the Windows Address Book
2. by searching for email addresses and domain names from files with specific file extensions, located in the Temporary Internet Files folder (please read the Technical Details section of the virus description for more detailed information on the specific file extensions)
3. by constructing additional email addresses by prepending specific strings from obtained domain names (please read the Technical Details section of the virus description for more detailed information on the specific strings)

It sends email with the following details:

From: (any of the following)

Spoofed email address taken from list of harvested and generated addresses
Random characters
Blank

Subject: (any of the following)

<blank>
<random characters>
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
test

Message Body: (any of the following)

<blank>
<garbage data>
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
test

Attachment: (The attachment may arrive as a .ZIP file. If it does not, then the attachment name is taken from any of several specific combinations of filenames and extension names. Please read the Technical Details section of the virus description for more detailed information on the specific filenames and extensions: )

This worm also has the capability to spread via Kazaa, a peer-to-peer file sharing application, by dropping a copy of itself in the Kazaa shared folder.

In addition, the worm performs a Denial of Service (DoS) attack on the Web site www.sco.com. The DoS attack is triggered if the system date is greater than, or equal to, February 1, 2004. During the DoS attack, the worm creates 63 threads that continuously request the main page of www.sco.com. The DoS attack continues until February 12, 2004. On this date, the worm stops most of its routines, except for its backdoor functionalities. This backdoor component, which is dropped as the file SHIMGAPI.DLL, allows remote users to manipulate infected machines into downloading and executing arbitrary files.

If you would like to scan your computer for WORM_MYDOOM.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_MYDOOM.A is detected and cleaned by Trend Micro pattern file #745 and above.