-- Update 9th February, 2004--
This threat is considered to be a Low-Profiled risk due to media attention at:
This worm attempts to spread to W32/Mydoom.a@MM
infected systems, by entering in through the backdoor created by the Mydoom virus. It does not spread via email. Systems already infected with Mydoom are at risk.
When run, the virus copies itself to the WINDOWS SYSTEM directory as INTRENAT.EXE
and creates a registry run key to load itself at system startup:
Run "Gremlin" = C:\WINNT\System32\intrenat.exe
An archived copy of the source for W32/Mydoom is dropped to the root of the system drive, the WINDOWS directory and the WINDOWS SYSTEM directory:
The worm scans random IP addresses, attempting to connect to TCP port 3127 and instructing systems to run the virus.
Denial of Service Payload
The virus contains a payload to attack www.microsoft.com by sending a large number of GET requests to responding servers. The attack starts on the 9th of February and after. If the date time is between 1st and 11th, the worm will wait for 2-6 minutes before the attack. If the date time is after 11th, the worm will launch the attack without the time delay.