Virus Profile: W32/Mydoom.s@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 8/15/2004
Date Added: 8/15/2004
Origin: Unknown
Length: 27,136 bytes
Type: Virus
Subtype: Internet Worm
DAT Required: 4386
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of the file rasor38a.dll and winpsd.exe.

Methods of Infection

This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files containing the following extensions:

  • adb
  • asp
  • dbx
  • htm
  • php
  • pl
  • sht
  • tbb
  • txt
  • wab

Addresses obtained are sent the virus.

Aliases

WORM_RATOS.A (Trend)
   

Virus Characteristics

-- Update November 11, 2004 --
 The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update August 15, 2004 --
 The risk assessment of this threat was deemed Medium due to prevalence.

If you think that you may be infected with W32/Mydoom.s@MM, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This virus is received in an email message as follows:

Subject : photos
Body : LOL!;))))
Attachment : photos_arc.exe

When the attachment is run, the virus copies itself to the WINDOWS (%WinDir%) directory as rasor38a.dll , and to the SYSTEM (%SysDir%) directory as winpsd.exe .

The virus creates the following registry key values:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\ComDlg32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\ComDlg32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "winpsd" = C:\WINDOWS\System32\winpsd.exe

The virus downloads a backdoor component from 2 different websites:

  • www.richcolour.com
  • zenandjuice.com

The backdoor component is detected as BackDoor-CHR with the specified DAT files.

   

All Users :
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
Stinger  has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the following file from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)

    winpsd.exe
  3. Edit the registry
    • Delete the "winpsd" value from
      • HKEY_LOCAL_MACHINE\Software\Microsoft\
        Windows\CurrentVersion\Run
    • Delete the keys:
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
        Explorer\ComDlg32
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
        Explorer\ComDlg32
  4. Reboot the system into Default Mode

See the BackDoor-CHR description for additional information.

McAfee System Compliance Profiler
Create a rule that matches a file
- Choose WINDOWS_DIR from the drop-down
- Type in rasor38a.dll for the file name
- Choose "File does not exist" in the next drop-down

Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in winpsd.exe for the file name
- Choose "File does not exist" in the next drop-down

McAfee Threatscan
ThreatScan signatures that can detect the W32/Mydoom.s virus are available from:

ThreatScan Signature version: 2004-08-16

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
     -or-
  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

  • Run the "ThreatScan Template Report"
  • Look for module number #4083