Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Virus Advisory: Network Associates(R) McAfee Avert Raises Risk Outbreak Assessment to Medium on New W32/Mydoom.F@Mm Worm

  • 24 February, 2004 11:56

<p>Mydoom.f@MM Attempts to Perform a Denial of Service Attack Against Microsoft and the RIAA Web sites</p>
<p>SYDNEY, Feb. 24, 2004 - Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee(R) AVERT(TM) (Anti-Virus and Vulnerability Emergency Response Team), the world-class anti-virus research division of Network Associates(R), assigned a medium risk outbreak assessment to the recently discovered W32/Mydoom.f@mm, also known as Mydoom.f. Mydoom.f is a destructive worm that bears similarities to the previous Mydoom viruses. Mydoom.f contains its own SMTP engine for constructing messages and attempts to perform a Denial of Service (DOS) attack against www.microsoft.com and www.RIAA.com and contains a malicious payload for deleting files. The virus has been found in as many as 60 companies and seen throughout Asia Pacific, Canada, Europe, Japan, Latin America and the United States.</p>
<p>Symptoms</p>
<p>Mydoom.f is a mass-mailing and share-hopping Internet worm that once activated displays a fake error message. The worm then tries to spread via email and by copying itself to the Windows System directory using random filenames. Users should immediately delete any email containing the following:</p>
<p>From: (Spoofed email sender)
Subject: (Varies, such as)</p>
<p>* Re: Approved</p>
<p>* Attention</p>
<p>* Your request is being processed</p>
<p>* (Blank)</p>
<p>* Please read</p>
<p>* Re: Thank You</p>
<p>* Recent news</p>
<p>* IMPORTANT</p>
<p>* Please reply</p>
<p>* Read this</p>
<p>* Your credit card</p>
<p>* Unknown</p>
<p>* EXPIRED ACCOUNT</p>
<p>* Your request was registered</p>
<p>* automatic responder</p>
<p>* Recent news</p>
<p>* Readme</p>
<p>* Bug</p>
<p>* You have 1 day left</p>
<p>* ApprovedNews</p>
<p>* Read it immediately</p>
<p>* Announcement</p>
<p>* =P Announcement</p>
<p>* hi, it's me</p>
<p>* You use illegal File Sharing... Your IP was logged</p>
<p>* Your account is about to be expired</p>
<p>* Love is Love is...</p>
<p>* Undeliverable message</p>
<p>* Re:</p>
<p>* Your order was registered</p>
<p>* Your order is being processed</p>
<p>* Current Status</p>
<p>* read now!</p>
<p>* Something for you</p>
<p>* For your information</p>
<p>* Information Warning</p>
<p>* hello</p>
<p>* hi</p>
<p>Body: (Varies, such as)</p>
<p>* Kill the writer of this document!</p>
<p>* Details are in the attached document. You need Microsoft Office to
open it.</p>
<p>* I'm waiting</p>
<p>* We have received this document from your e-mail.</p>
<p>* Here it is</p>
<p>* I wait for your reply.</p>
<p>* See you</p>
<p>* I have your password :)</p>
<p>* You are bad</p>
<p>* Take it</p>
<p>* Reply</p>
<p>* Please, reply</p>
<p>* Information about you</p>
<p>* Greetings</p>
<p>* See you Here it is</p>
<p>* Something about you</p>
<p>* You are a bad writer</p>
<p>* Is that yours?</p>
<p>* Is that from you?</p>
<p>* I wait for your reply.</p>
<p>* Here is the document.</p>
<p>* Read the details.</p>
<p>* I'm waiting Okay</p>
<p>* OK Everything ok?</p>
<p>* Check the attached document.</p>
<p>* The document was sent in compressed format.</p>
<p>* Please see the attached file for details</p>
<p>* See the attached file for details</p>
<p>Attachment: (Varies [.cmd, .bat, .pif, .com, .scr, .exe] - often arrives in a zip archive) (34,686 bytes)</p>
<p>* paypal.zip</p>
<p>* creditcard.bat</p>
<p>* creditcard.zip</p>
<p>* website.zip</p>
<p>* textfile.zip</p>
<p>* photo.zip</p>
<p>* part1.zip</p>
<p>* notes.zip</p>
<p>* mail.zip</p>
<p>* vpf.zip</p>
<p>* details.zip</p>
<p>* %random characters%.zip</p>
<p>Pathology</p>
<p>After being executed, Mydoom.f emails itself out as an attachment with a random filename. The worm makes copies of itself as .zip archives or .exe in different directories on the local hard disk and mapped drives. The filenames are random alphabetical names and are 34 Kbytes in size. Mydoom.f then searches the local hard drive and deletes files with the extensions .bmp, .avi, .jpg, .sav, .xls, .doc and .mdb. Mydoom.f opens a connection on TCP port 1080, and opens a list of other ports, ranging from 3000-5000, suggesting remote access capabilities. The worm also appears to carry out a DOS attack on the Web sites www.microsoft.com and www.riaa.com.</p>
<p>Cure</p>
<p>Immediate information and cure for this virus can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_101038.htm . Users of McAfee Security anti-virus products should update their systems from that page.</p>
<p>Network Associates McAfee(R) Protection-in-Depth(TM) Strategy delivers the industry's only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, with researchers in offices on five continents. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About Network Associates</p>
<p>With headquarters in Santa Clara, California, Network Associates, Inc. creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached on the Internet at http://www.networkassociates.com/ .</p>
<p>NOTE: Network Associates, McAfee, AVERT and Sniffer are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners.</p>
<p>##ENDS##</p>
<p>For further information or comment, please contact Allan Bell directly on the details below:</p>
<p>Allan Bell - Marketing Director</p>
<p>Network Associates</p>
<p>0412 411 929 or
02 9761 4229</p>

Most Popular