Original Issue Date: 17th August 2004
MyCERT received a report from a local organization on late evening of 16th August 2004 (MYT +0800) regarding a machine been infected with the W32.Mydoom.S@MM worm. Similar infection were also reported in Japan, Korea, China and the US.
A single organization's Anti-virus Filter at Email Gateway had detected/blocked about 50 emails infected with W32.Mydoom.S worm within an hour, this morning and the number is increasing.
As of August 16, 2004 most Anti-virus vendors had raised a YELLOW ALERT to the propagation.
W32.Mydoom.S@MM worm is a new variant of the Mydoom family, which was first discovered on August 16th 2004, 12.10 AM (GMT-07:00).
The worm is also known as:
Win32.Mydoom.S [Computer Associates],
WORM_RATOS.A [Trend Micro],
This mass mailing worm arrives as a normal email message with the following characteristics:
From: random-email-address (spoofed)
It may use an email address of a user on the infected computer, or start with one of the following names:
The domain will be one of the following:
The domain of the email address read from:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
Message body: LOL!;))))
A screenshot of the email is as below:
The worm runs on Windows 95, 98, ME, NT, 2000 and XP and propagates via emails with an attachment contains a copy of the worm. Once the attachment is executed, the worm infects the machine and send unwanted mass mailing emails to addreses collected from the Windows Address Book, by sorting through files found in the temporary Internet files folder and by querying certain entries in the Windows registry.
The worm also downloads and executes a backdoor component file from several URLs, which it stores in the Windows folder. It was reported in F-Secure Anti-Virus that the worm tries to download backdoor components from the following domains:
Scan the infected computer with an updated Anti-virus softwares to detect the presence of the worm on infected machine.
NOTE: Users MUST update their Anti-virus softwares in order to detect/delete the worm.
The worm can be removed by using an automatic removal tool to clean up the infected machine. The automatic removal tool can be download at:
Practise safe email practises.
MyCERT can be reached for assistance at: