July 27, 2004 - Trend Micro issued a "medium risk" alert for WORM_MYDOOM.M to raise awareness of this SMPT-based mass-mailing worm that pretends to be a warning that messages could not be delivered, or a "returned mail" notification. Sightings of the worm have been reported in Europe and U.S.
WORM_MYDOOM.M propagates via email using SMTP, checking first for an Internet connection, and then connecting through a mail exchanger. It harvests target email addresses from the Windows Address Book file of the affected system, and checks the addresses through search engines like Google and Yahoo. The worm then spoofs the sender's name of the email it sends out.
Subject headers appear like a common delivery failure notification, that read "status", "delivery reports about your e-mail", or "returned mail: see transcript for details" which entices the recipient to investigate the attachment.
"People naturally are concerned when they think their message has not gone through - the virus creator is taking advantage of users' behaviors," commented Joe Hartmann, senior virus researcher and analyst for Trend Micro. WORM_MYDOOM.A, which first gained attention in late January 2004 also pretended to be an official notification from a system administrator.
The message body contains warnings that the user's machine may have been compromised and may be used to send junk mail. Experts suggest that the malware is capitalizing on people's heightened concern about their machines being used to send spam through hidden proxy servers.
Similar to its original WORM_MYDOOM.A, WORM_MYDOOM.M arrives in an attachment bearing a .ZIP, .BAT, .PIF, .EXE, or .SCR extension; however, the file name is taken from the address where the worm is intended to be sent, making it seem relevant to the intended victim. Once inside the infected machine, this worm drops a copy of itself as JAVA.EXE in the Windows folder and creates an autorun registry entry to execute at every system startup.
WORM_MYDOOM.M arrives as a 28KB attachment. It affects Windows 98, ME, NT, 2000 and XP platforms. This worm may also known be by the following aliases: W32/Mydoom.O@MM or Mydoom.M.
Trend Micro customers are protected through the latest pattern file, number 945. Customers of Outbreak Prevention Services should download OPP 123 (or later) to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 384 should be downloaded to help with automated restoration of affected systems. Trend Micro Vulnerability Assessment and Network VirusWall pattern files will also support detection of WORM_MYDOOM.M Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/
For more information, please GO HERE.
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: http://www.trendmicro-europe.com
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.
# # #
For more information please contact:
Trend Micro
Anna Wright
EMEA PR Manager
Tel: +44 (0)1628 400534
E-mail: Anna_Wright@trendmicro.co.uk
Lammers van Toorenburg Benelux PR
Anja Breunis / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: anja@lvtpr.nl / annegees@lvtpr.nl