Mydoom.M - HIGH RISK Virus Alert

Discussion in 'malware problems & news' started by ronjor, Jul 26, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    This member of the MYDOOM family of mailing worm programs is currently spreading in the wild, with several infection reports gathered from Singapore, Germany and the United States. As of 8:31 AM, July 26, 2004 (GMT -7:00), TrendLabs has raised a Yellow alert to contain its propagation.


    http://secunia.com/virus_information/10755/mydoom.m/
     
  2. FanJ

    FanJ Guest

    Aliases:

    W32/Mydoom.o@MM, MyDoom.M, W32,Mydoom.M@MM, W32/Mydoom-O

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M
     
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Yes, my firewall records at least 3 or 4 port scans each day, i suspect it could be this or some other computer virus which is scanning my ports. Luckily all my ports are stealthed by my firewall.
     
  4. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Hmmm, this mydoom M or O worm is coming in via e-mail I understood. And if inside your computer it tries to break out, which can be stopped by your firewall.
    Do you have a sample logfile?
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    No gerard, i don't have a sample logfile here. What i was trying to say in the previous post is that some zombie computers, those are zombie machines which are infected with some sort of virus, i don't know what virus cos' there are so many. And, when i backtrace the port scans, i traced them to computers from other foreign countries. There is no virus on my computer here. I have many layers of defence.

    But, my sygate firewall had an portscan detection alert: Somebody is scanning your computer.
    Your computer's TCP ports:
    1025, 6129, 3410, 1433 and 5000 have been scanned from 202.156.178.208.

    And, who the heck is at 202.156.178.208? Hey, it's actually another customer using the same ISP as me! His computer must have some sort of port scanning tool on it.
     
    Last edited: Jul 30, 2004
  6. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Trend Newsletter: WORM_MYDOOM.M

    WORM_MYDOOM.M is another variant of the MYDOOM worm that, like its earlier variants, spreads via email through Simple Mail Transfer Protocol (SMTP). This worm infects Windows 95, 98, ME, NT, 2000 and XP, and is currently spreading in-the-wild.

    Upon execution, this worm drops a copy of itself as JAVA.EXE in the Windows folder. It then creates an auto-run registry entry that allows it to execute at every system startup.

    To propagate via email, the worm harvests target email addresses from the Windows Address Book (WAB), from the Temporary Internet Files folder, and from files with the following extensions found in fixed drives:
    • hlp
    • tx*
    • asp
    • ht*
    • sht*
    • adb
    • dbx
    • wab
    When it finds an email address, it obtains the domain name of that email address and queries the following search engines to search for email addresses in the same domain, thereby allowing it gather more addresses to spam:

    http://search.lycos.com
    http://www.altavista.com
    http://search.yahoo.com
    http://www.google.com

    The email message it sends has varying subject lines, message bodies and attachment file names, and it spoofs the sender's name (FROM field) of the email it sends, both in the email header and the envelope. It skips email addresses with domain names that contain certain strings.

    This worm also has backdoor functionalities that leave the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens a port and waits for outside connections. This allows a remote attacker to control the infected machine.

    If you would like to scan your computer for WORM_MYDOOM.M or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_MYDOOM.M is detected and cleaned by Trend Micro pattern file 1.947.00 and above.
     
Loading...
Thread Status:
Not open for further replies.