- 27 July 2004 09:40
Threat Advisory: McAfee AVERT Raises Risk Assessment to Medium-on-Watch on New W32/Mydoom.o@MM Virus
McAfee AVERT Reports New Mydoom Virus In-the-Wild
SYDNEY, July 27, 2004 — McAfee, Inc. the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, raised the risk assessment to Medium-on-Watch on the recently discovered W32/Mydoom.o@MM, also known as Mydoom.o. This new variant is a mass-mailing worm that comes in the form of .EXE or .ZIP file that is packed using UPX. To date, McAfee AVERT has received well over 100 reports of the virus since this morning, being stopped or infecting users from the field—with most of the reports arriving from Europe and the United States.
Mydoom.o is a mass mailing threat that contains its own SMTP engine to construct outgoing messages. Similar to previous variants, it harvests addresses from local files and then uses the harvested addresses in the ‘From’ field to send itself. This produces a message with a spoofed “From” address. The attachment may be an .EXE file with various extensions or a .ZIP file. The worm also terminates processes of security programs. Users should be very wary and should most likely delete any email containing the following:
From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
The following subjects are used:
• delivery failed
• Message could not be delivered
• Mail System Error - Returned Mail
• Delivery reports about your e-mail
• Returned mail: see transcript for details
• Returned mail: Data format error
The virus constructs messages from pools of strings it carries in its body.
After being executed, Mydoom.o copies itself as a JAVA.EXE file into the Windows directory C:\WINDOWS\JAVA.EXE and drops the file SERVICES.EXE into the Windows directory C:\WINDOWS\SERVICES.EXE to perform its functions. The following Registry key is added to hook system startup:
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "JavaVM" = %WinDir%\JAVA.EXE
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Services" = %WinDir%\SERVICES.EXE
The worm then proceeds into the remote access component of the virus, which listens on TCP port 1034 for remote connections.
System Protection and Cure
More information on Mydoom.o and cure for this worm can be found online at the McAfee AVERT site located at http://vil.nai.com/vil/content/v_127033.htm. McAfee AVERT is advising its customers to update to the 4381 DATs to stay protected from all the current Mydoom threats.
McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organisations in the world, employing researchers in thirteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee IntruShield and McAfee Entercept organisations, two research arms that were acquired through the IntruVert Networks and Entercept Security. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.
About McAfee, Inc.
With headquarters in Santa Clara, Calif., McAfee, Inc. (NYSE: MFE) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. McAfee’s customers span large enterprises, governments, small and medium sized businesses, and consumers. For more information, McAfee, Inc. can be reached on the Internet at http://www.mcafee.com/.
NOTE: McAfee and AVERT are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. *2004 McAfee, Inc. All Rights Reserved.
For further information, please contact:
Tel: +61 (0)2 9956 5733
Mobile: +61 (0)417 259 054