Computer Associates International, Inc has raised the threat assessment for the Win32.MyDoom-AU (also known as MyDoom BB and MyDoom-AW) variant to high. This is because of the pervasiveness of the variant and its ability to download the Win32.Gavvo http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39921 trojan, and recruit the infected machine into a Zombie network for further destruction.
"The variant knocking at the front door is fairly familiar, but it is leaving the backdoor open to something much more sinister," said Simon Perry, senior vice-president, eTrust Security Management. "Over the last 18 months we have seen a general trend toward the creation of zombie or slave-machine armies, used to create further attacks against the Internet at large, such as spam or denial-of-service attacks. For that reason, we want Internet users to be extra vigilant and are raising the threat assessment to high."
Win32.MyDoom-AU is a worm that spreads via e-mail, searching an infected computer`s hard drive for e-mail addresses and then uses major search engines such as Lycos, Altavista, Yahoo and Google to harvest additional addresses in the same domain as the infected computer.
The worm also creates a mutex http://www3.ca.com/securityadvisor/glossary.aspx#mutex to ensure only one copy of the worm runs at a time. The mutex name is generated by combining the affected machine`s name with the string "root" repeated multiple times. The worm arrives attached to an e-mail with a variable subject and message body. It decides on the variable name and file extension by utilising the user`s e-mail address and domain. This appeals to the user because it appears to be a personalised message. It exploits information about the user`s e-mail address and domain in the message, while enticing the user to open the message, ultimately infecting them.
The subject line may be randomly generated or include one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The worm attempts to close windows with these names: rctrl_renwnd32 ATH_Note IEFrame
It also downloads and executes arbitrary files from the following domain: www.aoprojecteden.org
CA urges users to update their anti-virus protection with the latest signatures.
Share
Computer Associates International, Inc (NYSE:CA), one of the world`s largest management software companies, delivers software and services across operations, security, storage, lifecycle and service management to optimise the performance, reliability and efficiency of enterprise IT environments. Founded in 1976, CA is headquartered in Islandia, New York and serves customers in more than 140 countries. For more information, please visit http://ca.com.
Editorial contacts