Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2004

MA-079.082004: MyCERT Special Alert - W32.Mydoom.S@MM Worm

Original Issue Date: 17th August 2004

Introduction

MyCERT received a report from a local organization on late evening of 16th August 2004 (MYT +0800) regarding a machine been infected with the W32.Mydoom.S@MM worm. Similar infection were also reported in Japan, Korea, China and the US.

A single organization's Anti-virus Filter at Email Gateway had detected/blocked about 50 emails infected with W32.Mydoom.S worm within an hour, this morning and the number is increasing.

As of August 16, 2004 most Anti-virus vendors had raised a YELLOW ALERT to the propagation.

Brief Description

W32.Mydoom.S@MM worm is a new variant of the Mydoom family, which was first discovered on August 16th 2004, 12.10 AM (GMT-07:00).

The worm is also known as:

W32/Mydoom.s@MM [McAfee],
W32/MyDoom-S [Sophos],
Win32.Mydoom.S [Computer Associates],
WORM_RATOS.A [Trend Micro],
W32.Mydoom.Q (Symantec)

This mass mailing worm arrives as a normal email message with the following characteristics:

From: random-email-address (spoofed)

It may use an email address of a user on the infected computer, or start with one of the following names:

john
alex
michael
james
mike
kevin
david
george
sam
andrew
jose
leo
maria
jim
brian
serg
mary
ray
tom
peter
robert
bob
jane
joe
dan
dave
matt
steve
smith
stan
bill
bob
jack
fred
ted
adam
brent
alice
anna
brenda
claudia
debby
helen
jerry
jimmy
julie
linda
sandra

The domain will be one of the following:

t-online.de
mail.com
yahoo.com
hotmail.com

The domain of the email address read from:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
To: random-email-address
Subject: photos
Message body: LOL!;))))
Attachment: photos_arc.exe

A screenshot of the email is as below:

Propagation

The worm runs on Windows 95, 98, ME, NT, 2000 and XP and propagates via emails with an attachment contains a copy of the worm. Once the attachment is executed, the worm infects the machine and send unwanted mass mailing emails to addreses collected from the Windows Address Book, by sorting through files found in the temporary Internet files folder and by querying certain entries in the Windows registry.

The worm also downloads and executes a backdoor component file from several URLs, which it stores in the Windows folder. It was reported in F-Secure Anti-Virus that the worm tries to download backdoor components from the following domains:

www.richcolour.com
www.zenandjuice.com

Detection

Scan the infected computer with an updated Anti-virus softwares to detect the presence of the worm on infected machine.

NOTE: Users MUST update their Anti-virus softwares in order to detect/delete the worm.

Removal

The worm can be removed by using an automatic removal tool to clean up the infected machine. The automatic removal tool can be download at:

Symantec
http://securityresponse.symantec.com/avcenter/FxMydoom.exe

Prevention

Practise safe email practises.
http://www.mycert.org.my/en/resources/email/email_practices/main/detail/512/index.html

References:

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.q@mm.html
Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RATOS.A
McAfee
http://vil.nai.com/vil/content/v_127616.htm

MyCERT can be reached for assistance at:

Email:
Tel: 03-89961901
Fax: 03-89960827
SMS: 019-2813801