[PBARC] New worm W32/MyDoom.A worm causes numerous infections in corporat e environments - 01/27/04

WOLF, EARNEST G [email protected]
Tue, 27 Jan 2004 08:02:02 -0600 

Subject: Oxygen3 24h-365d [New worm W32/MyDoom.A worm causes numerous infe
ctions in corporate environments - 01/27/04]


  - New worm W32/MyDoom.A worm causes numerous infections in corporate
environments -
      Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)


MADRID, January, 27, 2004 - New worm W32/Mydoom.A.worm has already reached
red alert status according to the virus labs of Panda Software.  There have
already been many incidences with thousands of users in numerous countries.
The ability of W32/MyDoom.A to spread rapidly, as well as the damage it is
leaving behind, makes W32/Mydoom.A.worm as serious as last summers Bugbear
and Blaster.

W32/Mydoom.A worm forwards itself to all the addresses found in the affected
computers. As other countries begin the usual workday increasing computer
activity it is expected that this virus will grow and create more issues.

W32/Mydoom.A worm comes via an e-mail message with an attached file. Like
the other recent virus epidemics, social engineering techniques cheat the
user making the think they are supposed to open the file. The virus not only
infects the computer that received the e-mail but then mails itself to all
the contacts found in addresses book. 

In addition, it opens the TCP port 3127 in the infected computer, allowing
remote control of the computer. It means any malicious hacker may get access
and steal, modify or destroy any kind of Information stored in the computer.

As additional Information, this virus is ready to launch a Denial of Service
attack against the web site www.sco.com next February, 1st this year.

W32/Mydoom.A worm search e-mail addresses in the computer files with the
extensions: .htm, .sht, .php, .asp, .dbx, .tbb, .adb, .pl, .wab, .txt. It
uses its own SMTP engine to send itself by e-mail. 

The message content changes, and may be composed by the following sentences:

Subject:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Body:
Mail Transaction Failed.  Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment. The message cannot be represented in 7-bit ASCII encoding and
has been sent as a binary attachment

Attached file name:
document
readme
doc
text
file
data
test
message
body

File extension:
.pif
.scr
.exe
.cmd
.bat
.zip

Once the virus has infected the computer, it then searches for the
peer-to-peer file sharing Network KaZaa.  If KaZaa is detected a file is
copied to the shared folder allowing its distribution via this peer to peer
system. The filename may be one of the following ones:

winamp5 
icq2004-final 
activation_crack 
strip-girl-2.0bdcom_patches 
rootkitXP 
office_crack 
nuke2004

and PIF, .SCR o .BAT extension.