- Regardless of its recent outbreak, thousands of users are affected by a worm using the social engineering techniques and has a high spreading level.
- In despite of the latest tendencies on viruses, this new worm do not use any Microsoft vulnerability to infect the computers
- The new worm installs a file in the affected computers that opens the TCP port 3127 allowing the computer external control
- It also uses KaZaa to spread, copying itself in the user shared folder.
- Panda Software have available to all the users the detection and disinfection for this worm and recommends be alert and set the antivirus and the firewall active.
- PQRemove free disinfection tool available at Panda software web site.
MADRID, January, 26, 2004 - New worm W32/Mydoom.A.worm has already reached red alert status according to the virus labs of Panda Software. There have already been many incidences with thousands of users in numerous countries. The ability of W32/MyDoom.A to spread rapidly, as well as the damage it is leaving behind, makes W32/Mydoom.A.worm as serious as last summers Bugbear and Blaster.
W32/Mydoom.A worm forwards itself to all the addresses found in the affected computers. As other countries begin the usual workday increasing computer activity it is expected that this virus will grow and create more issues.
W32/Mydoom.A worm comes via an e-mail message with an attached file. Like the other recent virus epidemics, social engineering techniques cheat the user making the think they are supposed to open the file. The virus not only infects the computer that received the e-mail but then mails itself to all the contacts found in addresses book.
In addition, it opens the TCP port 3127 in the infected computer, allowing remote control of the computer. It means any malicious hacker may get access and steal, modify or destroy any kind of Information stored in the computer.
As additional Information, this virus is ready to launch a Denial of Service attack against the web site www.sco.com next February, 1st this year.
W32/Mydoom.A worm search e-mail addresses in the computer files with the extensions: .htm, .sht, .php, .asp, .dbx, .tbb, .adb, .pl, .wab, .txt. It uses its own SMTP engine to send itself by e-mail.
The message content changes, and may be composed by the following sentences:
Subject:
- test
- hi
- hello
- Mail Delivery System
- Mail Transaction Failed
- Server Report
- Status
- Error
Body:
- Mail Transaction Failed. Partial message is available.
- The message contains Unicode characters and has been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
Attached file name:
- document
- readme
- doc
- text
- file
- data
- test
- message
- body
File extension:
- .pif
- .scr
- .exe
- .cmd
- .bat
- .zip
Once the virus has infected the computer, it then searches for the peer-to-peer file sharing Network KaZaa. If KaZaa is detected a file is copied to the shared folder allowing its distribution via this peer to peer system. The filename may be one of the following ones:
- winamp5
- icq2004-final
- activation_crack
- strip-girl-2.0bdcom_patches
- rootkitXP
- office_crack
- nuke2004
- and PIF, .SCR o .BAT extension.
Panda Software offers updates to all its customers to detect and eliminate W32/Mydoom.A worm. Users who have not enabled automatic updates can upgrade the antivirus in http://www.pandasoftware.com/.
Due to the possibility of being infected by W32/Mydoom.A.worm, Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions as soon as possible and installing a good firewall.
Similarly, users can also detect and disinfect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is available on the company’s website at http://www.pandasoftware.com. Also, PQRemove free disinfection tool is available for all users.
Detailed technical information on W32/Mydoom.A.worm is available from Panda Software’s Virus Encyclopedia.
About PandaLabs:
On receiving a possibly infected file, Panda Software's technical staff gets straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.
For more information:
Yolanda Ruiz
yruiz@pandasoftware.es
Tel. +34 91 806 37 00