Infection Level: Very High
Payload Threat Level: Medium
--------------------------------------------------
OVERVIEW
Mydoom is a recently discovered mass-mailing worm. It spreads
rapidly through E-Mail and through Kazza (P2P application).
The attachment is one of the following files: .bat, .pif,
.cmd, .exe, .scr, or .zip. It may also have a double extension.
All E-Mail properties are variable. Details can be found
below.
Target e-mail addresses are taken from infected computers
and the following types of local files: .htm, .wab, .txt,
.asp, .dbx, .php, .sht, .pl, .tbb and .adb.
Mydoom worm contains a backdoor that listens on a TCP port
(3127 thru 3198) and can be used to download and execute
arbitrary programs on infected machines.
The infected machines will perform a DDoS (Distributed Denial
of Service) attack on February 1, 2004 against www.sco.com.
TECHNICAL OVERVIEW
Aliases: Novarg, W32.Novarg.A@mm, Win32.Mydoom.A, Win32/Shimg,
WORM_MIMAIL.R
From: Spoofed e-mail sender
Subject: Varies, one of the following:
• hi
• Mail Transaction Failed
• Mail Delivery System
• Error
• Status
• Server Report
• hello
Body: Varies, one of the following:
• The message cannot be represented in 7-bit ASCII
encoding and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.
• The message contains Unicode characters and has been
sent as a binary attachment.
Attachment: Varies (.bat, .exe, .pif, .cmd, .scr) - often
arrives in a ZIP archive. Possible double extension.
Attachment icon: Text file icon with a ‘Document.scr’
caption.
Attachment size: 22,528 bytes.
©Finjan Software
Back
