Mydoom.M, W32/Mydoom.o@MM, W32/MYDOOM.L@MM, WORM_MYDOOM.M, Win32.Mydoom.M, I-Worm.Mydoom.m

W32.Mydoom.M@mm is a new variant of the W32.Mydoom@mm worm. The worm is an email worm which spreads through email with its own SMTP engine and has the ability to copy itself to mapped drives.  It will use spoofed sender email address and send itself out.  It contains a random named attachment with file extensions of .zip, .bat, .scr, .bat, .exe, .cmd, .pif. For detail description of email message format, please refer to Appendix.

Once the attachment was extracted and ran by recipient, the worm will copies itself to the Windows System folder using a random filenames and creates a startup key in system registry::

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM="%Windows%\java.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\\Run "Services" = %WinDir%\SERVICES.EXE

Also, the worm will creates a startup key in the following system registry::  

HKEY_CURRENT_USER\Software\Microsoft\Daemon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

Once the virus  collects the email address from the infected computer, it will query the following search engines to search further emails in the same domain of collected email address: 

• http://search.lycos.com
• http://www.altavista.com
• http://search.yahoo.com
• http://www.google.com

The worm contains the backdoor component that has remote access capabilities by listening on TCP port 1034 on the infected computer.

Payload

1. Detecting and Cleaning the worm

New virus definition is available from anti-virus vendors to detect and remove this virus.

If you do not install any anti-virus program, you can download the following removal tools to clean it.

Mcafee
http://vil.nai.com/vil/stinger

Symantec

http://securityresponse.symantec.com/avcenter/FxMydoom.exe

Note: Please follow the instruction of your Anti-virus vendor to remove the virus and repair your system.

2. Avoid the notification email storm caused by anti-virus gateway

To avoid the email storm caused by anti-virus gateway generating huge amount of notification messages, you might try to disable the notification message to sender temporarily. This could be resumed when the peak of the worm attack is past.

For more information, please refer to the following websites.

Information from Computer Associates

Information from F-secure

Information from Kaspersky

Information from McAfee
Information from Norman

Information from Sophos
Information from Symantec
Information from Trend Micro

It will arrive in an email like the following :

From	Spoofed Email Address,  sender name may be one of the following: Automatic Email Delivery Software Bounced mail MAILER-DAEMON Mail Administrator Mail Delivery Subsystem Post Office Returned mail The Post Office
Subject	Random (May contained one of the following): The original message was included as attachment The/Your m/Message could not be delivered hello hi error status test report delivery failed Message could not be delivered Mail System Error - Returned Mail Delivery reports about your e-mail Returned mail: see transcript for details Returned mail: Data format error
Body	(Sample message) Dear user XXX@ [target domain], Your e-mail account was used to send a huge amount of unsolicited e-mail messages during the recent week. Most likely your computer had been infected by a recent virus and now runs a hidden proxy server. Please follow our instruction in the attached file in order to keep your computer safe. Virtually yours, The [target domain] support team.
Attachment	Random named file (May contained one of the following): readme instruction transcript mail letter file text attachment document message postmaster with the following extensions: zip bat scr bat exe cmd pif