Content:

Updated: 3 February 2004

Recommended reactions for all W32/Mydoom@mm variants

Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.


SCO sets up alternative web site during Mydoom.A attack

2 February 2004

Mydoom.A was programmed to perform a Distributed Denial of Service (DDoS) attack on SCO's web site (www.sco.com) starting Sunday, 1 February 2004. The attack consisted of infected computers accessing www.sco.com and retrieving the front page of SCO's web site.

The attack seems to have been successful. SCO's web site at www.sco.com has been unreachable since early on Sunday . Soon after the attack began SCO issued a statement confirming that a "large scale, Denial of Service attack has [...] made the company's web site completely unavailable".

SCO has now, however, set up alternative web sites at www.thescogroup.com and sco.com. These new web sites will be in use through 12 February 2004 when the worm is programmed to stop spreading and attacking. After this date, SCO plans to revert to its original web site.


A new W32/Mydoom@mm variant: W32/Mydoom.B@mm

28 January 2004

W32/Mydoom.B@mm
Aliases: (none)

A new W32/Mydoom@mm variant, W32/Mydoom.B@mm was discovered on 28 January 2004. It appears to behave in a similar fashion to its predecessor.

Threat Description

This new variant spreads in a similar way to the original A variant. In addition to being programmed to perform a Distributed Denial of Service (DDoS) attack on SCO's web site (www.sco.com) on 1 February 2004, like the original A variant, then Mydoom.B@mm will also launch an attack on Microsoft's web site (www.microsoft.com) on 3 February 2004. The B variant is designed to stop spreading on 1 March 2004.

The worm reconfigures infected computers so that the websites of many antivirus companies are no longer accessible. The modifications are probably intended to prevent users of antivirus software from downloading new updates to disinfect the worm.

W32/Mydoom.B@mm is also known as:

Mydoom.B affects computers running Windows 95, 98, ME, NT, 2000 and XP.

For more information on this worm and its disinfection please visit our virus information section.

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Mydoom.B@mm using virus signature files dated 28 January 2004 or later.


W32/Mydoom.A@mm, a new mass-mailing worms starts spreading quickly

26 January 2004

W32/Mydoom.A@mm
Aliases: Novarg.A, Mimail.R, Shimg

A new mass-mailing worm that has been spreading rapidly via e-mail and the Kazaa file-sharing network since it was first discovered yesterday. This worm has gained wide distribution in a very short time has therefore been classified as high risk by FRISK Software's virus experts.

Threat Description

W32/Mydoom.A@mm spreads via e-mail messages with technically sounding subject lines. The attachment containing the worm's executable also bears technical and harmless-sounding names. However, if such an attachment is executed, the worm infects the computer, harvests e-mail addresses from infected computer's hard drive and sends spreads itself further by sending itself to these addresses. Mydoom.A also falsifies the From address by substituting it with another harvested address chosen at random. The worm also opens up ports on an infected computer, thereby creating a backdoor allowing for the possibility of hackers being able to gain remote control of an infected computer. Mydoom.A also spreads via the Kazaa file-sharing network.

Mydoom.A is programmed perform a Distributed Denial of Service (DDoS) attack on SCO's web site (www.sco.com) on 1 February 2004. However, the worm is also designed to stop spreading eleven days later, on 12 Febuary 2004. It is considered a possibility that this planned attack on SCO is a result of the resentment toward the company by parts of the Linux community since the company's claims that key elements of the Linux open-source operating system are covered by their UNIX copyrights.

The attack may also be a smoke screen to divert attention away from the worms' backdoor components that will still be functional after 12 February 2004. These components could have been included to facilitate the building of a world-wide net of unsuspecting individual's home and office computers for the purpose of using them to deliver large amounts of spam e-mail.

W32/Mydoom.A@mm is also known as:

Mydoom.A affects computers running Windows 95, 98, ME, NT, 2000 and XP.

E-mails carrying Mydoom.A will usually have one of the following subject lines:

     test
     hi
     hello
     Mail Delivery System
     Mail Transaction Failed
     Server Report
     Status
     Error

The body of these e-mails is usually one of the following:

     test
     The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
     The message contains Unicode characters and has been sent as a binary attachment.
     Mail transaction failed. Partial message is available

Attachments containing Mydoom.A bear one of the following names:

     document
     readme
     doc
     text
     file
     data
     test
     message
     body

with one of the following endings:

     .pif
     .scr
     .exe
     .cmd
     .bat

For more information on this worm and its disinfection please visit our virus information section.

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Mydoom.A@mm using virus signature files dated 26 January 2004 or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

1993-2013 © CYREN