This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. This variant will be detected as W32/Mytob.gen@MM
in the 4501 DAT release.
The virus arrives in an email message as follows:
(Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.
(Varies, such as)
- Notice: **Last Warning**
- *DETECTED* Online User Violation
- Your Email Account is Suspended For Security Reasons
- Account Alert
- Important Notification
- *WARNING* Your Email Account Will Be Closed
- Security measures
- Email Account Suspension
- Notice of account limitation
(Varies, such as)
- Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
- The original message has been included as an attachment.
- We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
- We attached some important information regarding your account.
- Please read the attached document and follow it's instructions.
(Varies - chooses from the following list of prefaces)
The attachment name may have one or two file extensions, in which case multiple spaces may be inserted as well, for example:
- document.htm (many spaces) .pif
(Varies, chooses from the following list)
These are examples of common names, but they can also be random. The file may also arrive in a ZIP archive.
When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as nec.exe
The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed. This file is detected and cleaned as Qhosts.apd.
Registry keys are created to load the worm at startup:
RunServices "WINDOWS SYSTEM" = nec.exe
Run "WINDOWS SYSTEM" = nec.exe
Additional the following value is set:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" = 4