| |
|
 |
|
|
Newsletter
August 2004 - page 3
MyDoom.m
prevention and cure
July 26, 2004 Category: Home | Audience: Home
Rating: 3.7 (out of 5) Rate it Comments:
8 | 8 NEW | View all
By
Robert Vamosi CNET News.com
|
|
|
| |
|
|
|
|
The
latest version of the MyDoom virus uses social trickery to get
users to infect themselves. MyDoom.m (w32.mydoom.m@mm , also known
as MyDoom.l [Norman]), MyDoom.n (Computer Associates), and MyDoom.o
(Sophos), is packed with UPX, is approximately 28KB in size, and
is a mass-mailing worm that uses its own SMTP engine to send copies
of itself to addresses harvested from the infected PC. It also
uses various search engines to find additional e-mail addresses
associated with an infected PC's e-mail domain and may slow or
disable those search engines. MyDoom.m does not affect Linux,
Mac, or Unix systems. Because MyDoom.m spreads via e-mail, opens
a remote-access back door on infected PCs, and could damage system
files, this worm rates a 6 on the CNET/ZDNet Virus Meter.
How it works
MyDoom.m constructs random e-mail messages from a string of hard-coded
text within the virus code itself. The infected e-mail appears
to have been sent by someone you may know. The body text may suggest
that your e-mail account has been compromised by a virus or has
been used recently to send spam. The body text appears to come
from the technical support team of the domain you are using for
your own e-mail address: for example, someone@mydomain.com would
receive a note signed by the mydomain.com team. The body text
further encourages you to open the attached file (usually a ZIP,
but it could also be EXE, COM, SCR, PIF, BAT, or CMD) for more
information. Do not follow this instruction; it will launch the
virus on your PC.
Once executed, MyDoom.m installs itself in the Windows folder
as:
C:\WINDOWS\JAVA.EXE
C:\WINDOWS\SERVICES.EXE
MyDoom.m also changes the system registry by adding the following
keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
JavaVM="[Windows folder]\java.exe" Services="[Windows
folder]\services.exe"
HKEY_CURRENT_USER\Software\Microsoft\Daemon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon
MyDoom.m will open port 2110 to listen for remote access.
Prevention
If you receive MyDoom.m, do not open the attached file. The best
way to prevent infection is to make sure that your antivirus signature
files are current. Also, a personal firewall will prevent the
virus author from gaining remote access to your PC.
Removal
Most antivirus software companies have updated their signature
files to include this worm. This will stop the infection upon
contact and in some cases will remove an active infection from
your system.
If
in doubt Check with your virus prevention software supplier.
|
|
|
