Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Virus Alert: Mydoom.M turns PCs into spam zombies

by
25th Dec 2005
Save content
Have you found this content useful? Use the button above to save it to your profile.

Warning

Members are warned to be on the lookout for a new variant of the Mydoom virus that takes over users' PCs and turns them into spam servers.

One contributor contacted this site when his PC started running very slowly and was obviously not under his total control. A scan with Norton Anti-Virus tools detected the presence of Backdoor.Zincite.A, a server program providing remote access via TCP port 1034.

When activated, the Mydoom.M worm plants the Zincite trojan horse virus to set up an SMTP engine to send the virus on to all the email addresses it finds on infected system.

As well as the tell-tale presence of Backdoor.Zincite.A infected machines will have two extra values, "Services" = "%Windir%\services.exe" and "JavaVM" = "%Windir%\java.exe", added to the Registry at: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Mydoom.M emails carry attachments that can travel under a variety of names such as:
readme
instruction
transcript
mail
letter
file
text
attachment
document
The file name will have two three-letter file suffixes: .bat, .cmd, .com, .exe, .pif, .scr, or .zip, followed by the more common .doc, .txt, .htm, or .html extensions.

The From field of the email is "spoofed" from addresses on the infected computer. There are several variations of the body text, along the lines of:

This message was not delivered due to the following reasons:
Your message was not delivered because the destination
computer was unreachable within the allowed queue period.
The amount of time a message is queued before it is
returned depends on local configuration parameters.
Most likely there is a network problem that prevented
delivery, but it is also possible that the computer is
turned off, or does not have a mail system running right
now.

Firewall programs can help to prevent such infections by blocking access to TCP ports. Further advice on preventing and removing the Mydoom.M infection is available from websites such as Sophos and Symantec Security Response.

Tags:

Replies (3)

Please login or register to join the discussion.

avatar
By davidcee
28th Jul 2004 23:24

MYDOOM?
I received an email purporting to be a mail delivery failure, containing a suspicious attachment. I had read a bulletin warning of MYDOOM, similar to the one posted on here and the email was of a type described in the bulletin, so of course I didn't open it.

However, my Norton anti-virus didn't pick it up. I went to the Symantec site and manually downloaded the latest definitions, still didn't pick it up. McAfee Stinger ditto.

Whether it was really MYDOOM or a trickster hoaxing mails to look like MYDOOM I don't know, but vigilence is key.

I have "Live Update" installed on Norton Antivirus, but discovered from reading the Norton site that virus definitions are only distributed by this means every Wednesday!!!! A week is a long time in publishing viruses!

David

Thanks (0)
avatar
By paulwakefield1
29th Jul 2004 15:52

Norton updtaes
In reality, Norton updates more often than weekly especially if a new threat comes along. Touch wood, I've only once had a virus beat a Norton update (Can't recall which one it was now but I recall all the anti virus checkers were caught because of the speed of propagation before they could develop a solution). I have known it to update 4 times in a week.

Thanks (0)
avatar
By User deleted
29th Jul 2004 08:14

Anti Virus Software
Might I suggest that David and others in the same boat look at Panda anti-virus software. This is updated on line daily and, in the almost 2 years I have been using it, has proved 100% effective.

Thanks (0)