W32/Mydoom.s@MM

Discussion in 'malware problems & news' started by gerardwil, Aug 16, 2004.

Thread Status:
Not open for further replies.
  1. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    [font=Arial, Helvetica, sans-serif]Risk assessment: medium


    This virus is received in an email message as follows:

    Subject : photos
    Body : LOL!;))))
    Attachment : photos_arc.exe

    [/font]

    info: http://vil.nai.com/vil/content/v_127616.htm
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    lol i also get spoofed emails from almost everyone i know and don't know. most of it contains a strain of Netsky or the old Yaha. amazing that still so many users are infected with so many worms and still don't know what happened.
     
  3. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    McAfee, Trend, and other AV vendors have declared this as MEDIUM RISK due to prevelance in-the-wild.

    MyDoom.S - MEDIUM RISK
    http://secunia.com/virus_information/11145/mydoom.s/
    http://vil.nai.com/vil/content/v_127616.htm
    http://www.sarc.com/avcenter/venc/data/w32.mydoom.q@mm.html
    http://www.f-secure.com/v-descs/mydoom_s.shtml
    http://www.trendmicro.com/vinfo/virusencyc...me=WORM_RATOS.A


    This virus is received in an email message as follows:

    From: <spoofed>
    Subject : photos
    Body : LOL!;))))
    Attachment : photos_arc.exe


    SOME BAD NEWS ON THIS ONE: If MyDoom.S infects your PC, it will attempt to download BackDoor-CHR. Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods.


    BackDoor-CHR - hidden backdoor installed by MyDoom.S
    http://vil.nai.com/vil/content/v_127617.htm

    This remote access trojan is downloaded by W32/Mydoom.s@MM . It bears the following characteristics:

    * stealths its activity on the victim machine
    * serves as a HTTP and SMTP proxy
    * attempts to connect to numerous remote IRC servers
    appends the local hosts file (in an attempt to disable updating of many AV products)
    * The trojan attempts to connect to a remote IRC server to await command. It carries a list of IP addresses and relevant ports for these servers ...


    The mul
     
  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Trend Newsletter: WORM_RATOS.A

    WORM_RATOS.A is a memory-resident, mass-mailing worm that arrives with an attachment that is a copy of the worm. It collects email addresses from the Windows Address Book, searching temporary Internet files, and by querying certain entries in the Windows registry. It also constructs email addresses by prepending certain names to popular domain names. In addition, this worm downloads and executes a backdoor component file from several URLs, enabling remote access to the infected machine and therefore comprising user and system security. WORM_RATOS.A is a variant of the MYDOOM family of worms, and will be renamed as WORM_MYDOOM.S shortly. This worm is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, this memory-resident worm drops a copy of itself as the following:
    %Windows%\RASOR38A.DLL
    %System%\WINPSD.EXE

    It also adds registry entries that allow it to run at every Windows startup.

    This worm sends a copy of itself via email by harvesting email addresses from files found in the temporary Internet files folder, with any of the following extension names: ADB ASP DBX HTM PHP SHT TBB TXT WAB

    It also checks for recipient email addresses in the Windows Address Book. In addition, it constructs email addresses by prepending the following names to the domain names aol.com, hotmail.com, msn.com, and yahoo.com: adam alex alice andrew anna bill bob brenda brent brian claudia dan dave david debby fred george helen jack james jane jerry jim jimmy joe john jose julie kevin leo linda maria mary matt michael mike peter ray robert sam sandra serg smith stan steve ted tom

    It sends email with the following details:
    Subject: photos
    Message body: LOL!;))))
    Attachment: photos_arc.exe

    This worm skips email addresses connected to domain names with the following substrings: abuse abuse accoun acketst admin anyone arin. be_loyal: berkeley borlan certific contact example feste gold-certs google google hotmail ibm.com icrosof icrosoft inpris isc.o isi.e kernel linux linux listserv mit.e mozilla mydomai nobody nodomai noone nothing ntivi panda postmaster privacy rating rfc-ed ripe. ruslis samples secur sendmail service somebody someone sopho submit support tanford.e the.bat upport usenet utgers.ed webmaster

    In addition, this worm downloads and executes a backdoor component file from several URLs. The downloaded component is saved as WINVPN32.EXE, in the Windows folder, and then executed.

    If you would like to scan your computer for WORM_RATOS.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_RATOS.A is detected and cleaned by Trend Micro pattern file 1.957.00 and above.
     
Thread Status:
Not open for further replies.