MyDoom virus - by About.com This just in! Special news and announcements from the administrators will be posted here.

[Neo]

Dubbed Mydoom, Mimail.R, Novarg, or Shimg depending on the antivirus vendor, a worm discovered on January 26th, 2004 has created a headache for users. The worm spoofs the From address, causing lots of innocent folks to be blamed for sending the worm. The fact is, the one person who is most likely not to be infected is the person's whose name appears in the From field of the email. Worse, antivirus alerts are once again contributing to the mess. As was the case with Sobig.F, the vendor alerts have become part of the Mydoom problem.

The alerting problem begans when one of the infected emails is detected by the ISP or domain antivirus solution. The antivirus software, depending on the administrator's configuration, may then send an alert to the recipient and to the alleged sender. Of course, when the sender name is falsified, this means innocent folks are accused of sending a virus when in fact they are not the infected party. The confusion and chaos only gets worse. Many of these antivirus products will send the actual infected message to this alleged sender. Meaning they have now received the virus. If they open the email and the attachment to see what it is they supposedly sent, they then risk becoming infected. The volume of erroneous antivirus alerts is so high, it is quickly outpacing the number of actual Mydoom emails. In fact, some contend that the antivirus alerts are themselves a form of DoS (Denial of Service) attack.

Using antivirus software to DoS email users is not the only trick up Mydoom's sleeve. The worm also launches a Distributed Denial of Service (DDoS) attack against the well-known UNIX vendor, SCO.com. Every second from every infected computer worldwide, the Mydoom (a.k.a. Mimail.R) sends a GET request to the website in an apparent attempt to overload the webserver.

Much controversy has surrounded SCO after claiming last December that the Linux operating system was violating their intellectual property rights in UNIX. "There are a lot of kids out there who feel like SCO's attacking them", comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Apparently someone of them decided that it's ok attack back."

The Mydoom worm spreads via email and the P2P network KaZaA. The email message composed by the worm has a spoofed Sender name and the Subject will be one of the following:

test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
The text of the email will be either:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- or -

The message contains Unicode characters and has been sent as a binary attachment.
- or -

Mail transaction failed. Partial message is available.
The attachment will have either an EXE, CMD, PIF, or SCR extension, or it may be a ZIP archive, and will have one of the following filenames:

document
readme
doc
text
file
data
test
message
body
The attachment's icon may appear to be an icon normally associated with a TXT file, despite the fact that the attachment itself is an executable. To mask its intentions, when executed the worm first launches Notepad, filling the page with random text. Behind the scenes, the worm drops a copy of itself to the Windows System folder (usually C:\Windows\System) as taskmon.exe. This has caused some confusion among Windows 95/98/ME users, as there is a legitimate file named taskmon.exe, but that file resides in the C:\Windows folder, not C:\Windows\System.

Mydoom also searches the System Registry to determine if KaZaA is installed and, if so, what directory is being shared by the user. It then drops a copy of itself to the shared KaZaA folder using one of the following names and a BAT, PIF, SCR, or EXE extensions:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
This allows the worm to infect KaZaA users who download and execute one of the infected files, causing further spread on the P2P network. To spread via email, the Mimail.R (a.k.a. Mydoom) worm harvests addresses from WAB, ADB, TBB, DBX, ASP, PHP, SHT, HTM, and TXT files found on the infected system. The worm code also contains text strings which it can use to randomly create addresses if no other addresses are found.

The worm also creates the file shimgapi.dll in the Windows\System directory, registering this file as a child process of EXPLORER.EXE. Shimgapi.dll opens and listens on ports 3127 through 3198. This backdoor could be used to download further malicious code to the system.

[Neo]

Discovered on January 28, 2004, a new variant of the Mydoom (a.k.a. Mimail.R, Novarg, Shimg) worm includes a trick to prevent affected users from updating their antivirus software. The worm modifies the Local Host file, adding in the website addresses of various antivirus vendors and update sites.

As such, infected users will receive a "Page not found" error when trying to visit any of of those sites.

Mydoom.B is functionally quite similar to its predecessor, using many of the same tricks. For example, it spoofs the Sender name, thus causing innocent folks to get blamed for sending the virus. Worse, it causes antivirus software to chase its own tail, as it sends erroneous alerts to users who never sent the virus and aren't infected by it. Some of these alerts carry the original bounced - and infected - message. Those users who receive one of these antivirus alerts and open the attachment to investigate will find themselves infected. This action also has the unpleasant side affect of creating something of a Denial of Service (DoS) attack in email.

That isn't the only DoS attack the Mydoom.B worm has planned. Mydoom.B is also programmed to attack both the SCO and Microsoft websites. Every infected user thus becomes a weapon against these vendors. In the case of the original Mydoom worm, that attack was launched every second from every infected computer worldwide.

The Mydoom.B email arrives with one of the following Subjects:

Returned mail
Delivery Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
The body of the email varies, and may be any of the following:

sendmail daemon reported:
Error #804 occured during SMTP session. Partial message has been received.

The message contains Unicode characters and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

The message contains MIME-encoded graphics and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The name of the attachment will be one of the following:

doc
document
message
readme
text
hello
body
test
data
file
The filename extension will be either BAT, EXE, CMD, PIF, or SCR or it may be a ZIP archive. Mydoom.b can also use a double extension ruse, to trick people who do not have file extension viewing properly enabled. The File Extension Center provides a walkthrough for enabling extension viewing.

The worm drops or creates the following files in the Windows\System folder:

explorer.exe
ctfmon.dll
Note that there is a valid EXPLORER.EXE file found on the system, but it is located in C:\Windows folder instead of the C:\Windows\System folder.

The worm copy of explorer.exe is loaded on startup via the System Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Explorer" = C:\Windows\System\explorer.exe
(where C:\Windows signifies the users' Windows System folder)

The newly created DLL, ctfmon.dll, is registered as a child process of the valid EXPLORER.EXE.

The following addresses are appended to the Local Hosts file, preventing those sites from being accessed by infected users:

ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
http://www.avp.ch
http://www.avp.com
http://www.avp.ru
http://www.awaps.net
http://www.ca.com
http://www.fastclick.net
http://www.f-secure.com
http://www.kaspersky.ru
http://www.mcafee.com
http://www.microsoft.com
http://www.my-etrust.com
http://www.nai.com
http://www.networkassociates.com
http://www.sophos.com
http://www.symantec.com
http://www.trendmicro.com
http://www.viruslist.ru
www3.ca.com

[Bcjammer]

so if you can go to those sites your not infected?

so if I search my c:\windows dir and find explorer.exe I should delete? but not the one in windows\system ??

[Neo]

The worm drops or creates the following files in the Windows\System folder:

explorer.exe
ctfmon.dll
Note that there is a valid EXPLORER.EXE file found on the system, but it is located in C:\Windows folder

[Pam]

Man...BYU got hit by the MYDOOM virus....someone was stupid enough to open one of the attachments....and so it got sent pretty much to every byu student and faculty...I haven't gotten anything yet...but I've been lucky...

my friend works at the BYU Law School...they were smart and didn't open any of the attachments...so the Law School is still operating fine...but the BYU server is down...sucks for them...

[Neo]

I wonder if ETBU has gotten any of the virus files yet. They ALWAYS get the popular viruses because a lot of stupid people go there (and some of them work there).

But I'm not there anymore to tell them they have a virus on their server like I did my freshman year. They have to figure this one out on their own. (I think my virus software was more advanced than theirs...or maybe I just paid more attention to the server status since I was using their connection for my web hosting) .