Original Issue Date: 27th July 2004
MyCERT received information from various Anti-Virus sites this morning regarding the propagation of a new variant of W32.MyDoom worm, the W32.MyDoom.M, discovered on 26th July 2004 (US Pacific Time). It is reported that this variant of mass mailing worm is currently spreading in the wild, with several infection reports received from Germany and the United States.
This worm runs and affects on Windows 95, 98, ME, NT, 2000, and XP.
As of 8:31 AM, July 26, 2004 (GMT -7:00), most Anti-virus vendors had raised a YELLOW ALERT to the propagation. However, MyCERT has not received any reports of infections from local users but we will keep monitoring closely on the worm's activities.
As the previous variants, this worm spreads via email through SMTP (Simple Mail Transfer Protocol), gathering target recipients from the Windows Address Book, the Temporary Internet Files folder, and certain fixed drives.
Notably, it skips email addresses that contain certain strings as in the below URL:
When it finds an email address, it gets the domain name of that email address and queries the following search engines to search for email addresses in the domain:
Using social engineering techniques, this worm sends out an email with a spoofed sender's name and poses as a failure delivery notification.
The infected email has the following characteristics:
The From address will be spoofed.
Subject: (Any of the following)
say helo to my litl friend
click me baby, one more time
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
Attachment: The worm may generate an attachment file name from the domain name of the email addresses that are gathered on the system. The attachment name may also be one of the following:
The attachment may have a second extension, which will be one of the following:
Screenshots of examples of infected emails are as below:
This worm also carries backdoor functionalities detected as Backdoor.Zincite.A, on port 1034/tcp that leaves the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens TCP port 1034 and waits for outside connections.
This routine virtually hands over control of the affected machine to a remote attacker.
Any updated version of Anti-virus is able to detect the presence of this worm in an infected machine.
List of Anti-virus vendors is available at:
Network/System Administrators may be able to detect infected machines within their network by looking at activities that are going on at port TCP/1034.
Machines that had been infected with this worm can be cleaned using a Automatic Removal. Automatic Removal, the easiest way to clean up worms from infected machines. Cleaning steps are as below:
Disconnect the infected machine from the network.
Disable system restore for windows XP/ME.
Download an Automatic Removal Tool to clean up the machine.
NOTE: The automatic tools can be downloaded from a clean machine into a media and run the tool on infected machine to clean up.
Enable System Restore.
Re-scan the affected machine with an updated version of Anti-Virus to make sure the machine has been cleaned.
Re-connect the machine to the network.
Applying Anti-virus filters at organizations' email gateway to block the worm infected attachments.
System Adminstrators may consider to block attachments with the following extensions, .ZIP, .COM, .EXE, .PIF, .SCR, .BAT and attachments with double extensions.
System Administrators may consider to block incoming traffic to port TCP/1034 in order to block any access from attackers to the infected machine within the network via port TCP/1034.
End users should always practise safe email practices. Guides on safe email practices is available at:
MyCERT can be reached for assistance at: