-- Update February 25, 2005 --
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
This variant W32/Mydoom is similar to previous variants, it bears the following characteristics:
- mass-mailing worm constructing messages using its own SMTP engine
- harvests email addresses from the victim machine
- spoofs the From: address
- downloads the BackDoor-CEB.f
If you think that you may be infected with Mydoom.bb, and are unsure how to check your system, you may
download the Stinger tool
to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Receiving an email alert stating that the virus came from your email address is not
an indication that you are infected as the virus often forges the from address.
(spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:
The following display names are used in this case:
- "Mail Administrator"
- "Automatic Email Delivery Software"
- "Post Office"
- "The Post Office"
- "Bounced mail"
- "Returned mail"
- "Mail Delivery Subsystem"
The following subjects are used:
- delivery failed
- Message could not be delivered
- Mail System Error - Returned Mail
- Delivery reports about your e-mail
- Returned mail: see transcript for details
- Returned mail: Data format error
The virus constructs messages from pools of strings it carries in its body. For example:
The attachment may be an EXE file with one of the following extensions:
It may also be a copy of the worm within a ZIP file (may be doubly ZIPped). In this case the extension is:
The attachment may use the target email address name as the filename, in addition to the following:
The attachment may use a double extension, and there may be multiple spaces inserted between the file extensions to deceive users.
Email Address Harvesting
Email addresses are harvested from the following file types on the victim machine:
The virus queries four search engines to harvest addresses from the results returned from such queries :
The virus will also harvest email addresses from any Outlook window that is active on the victim machine.
The virus avoids emailing itself to target domains containing any of the following strings:
This virus downloads the BackDoor-CEB.f