Silicon Valley - Public Access Link

MyDoom Email Worm

MyDoom Email Worm

MyDoom is a mass-mailing worm that sends emails with messages that look like mail system errors and automated spam warnings. The messages masquerade as email from your ISP. The email will appear to be from administrator@svpal.org or management@svpal.org, or some other "official" looking email address. The message tells you to open the enclosed attachment to fix some problem. Don't open the attachment.

SVPAL filters attachment types that often contain viruses and worms effectively disabling these attachments. This stops almost all email viruses and worms, but is not a guarantee against infection. You should still maintain virus protection software to keep your system safe. Note that the attachments are not removed from the email so your virus protection software may still report it as a live virus.

If this worm is successfully launched on your computer, it installs a back door on your computer that may be used by future worms to infect your system or may be used to launch SPAM or other types of attacks on other Internet connected computers.

Vulnerable Systems

This worm only affects users running Windows XP, 2000, Me, 98, NT, 95.

Impact

This worm mass mails itself to users listed in your address book, email addresses in web pages your browse, and recent versions try to obtain email addresses from search engines.

What to Look For 

The virus arrives in an email from purportedly from your mail account's ISP.  An example of one seen on SVPAL:

Dear user janedoer@svpal.org,

Your account was used to send a large amount of junk email during
the last week. Most likely your computer had been infected by a recent
virus and now contains a hidden proxy server.

Please follow instructions in order to keep your computer safe.

Best wishes,

Svpal.org user support team.

Note that the exact message varies but follows this form. The following shows some of the variations that you might see. Example 'From' addresses include:

management@<domain>
administration@<domain>
staff@<domain>
noreply@<domain>
support@<domain>

where <domain> is your email domain (eg svpal.org).

The list of possible Subjects include: 

 Returned mail: Data format error
 Returned mail: see transcript for details
 Delivery reports about your e-mail
 Mail System Error - Returned Mail
 Message could not be delivered
 delivery failed
 report
 test
 status
 error
 hi
 hello

Solutions 

See Microsoft's Windows Update web site for easy updating of your Microsoft software. Install a virus scanner to provide additional protection. You may need to start your computer in safe mode to successfully run your virus scanner. Check your virus software documentation for details on how to scan and remove virus infections. 

For more information

Check the CERT Coordination Center for more information on this worm. Or check SVPAL's virus page for me general virus protection information.

US Cert Advisory

MyDoom Spreading Rapidly. AKA MYDOOM.O, MYDOOM.M

SEVERITY: 4 High

US-CERT and other first responder teams will need to take action to recover from incidents, or will need to take action to prevent compromise. US-CERT will initiate its alert system.

SYSTEMS AFFECTED

Windows 2000, Windows 98, Windows 95, Windows XP, Windows ME, Windows NT, Windows Server

SYSTEMS NOT AFFECTED

DOS, Linux, Macintosh, Novell Netware, OS/2, Unix

OVERVIEW

The latest version of Mydoom is a mass-mailing worm that incorporates a search capability that is overwhelming several popular search engines.

DESCRIPTION

The MyDoom variant spreads in the form of an e-mail attachment. The attached message pretends to be from the user's net provider or company support team saying that their PC has been used by hackers to send spam. Once on a victim's machine MyDoom will ensure that it will load when Windows starts. Additionally, it will locate e-mail addresses on a victim machine, and use search engines to derive e-mail addresses from collected domain names. Infected computers are used to bombard target web sites with data packages that potentially paralyze the web site. Previous versions of MyDoom have launched distributed denial of service attacks (DDoS) on web sites like Microsoft and software firm SCO.

IMPACT

Outbound traffic on port 25 from infected machines may overwhelm internal routers or firewalls. Also, reports indicate that some search engines may suffer intermittent failure due to the search engine capabilities of this worm.

 

[SVPAL Home]  [Subscriber]

Contact Silicon Valley Public Access Link
Last updated: October 16, 2006