Solutions Buy Download Information Partners Support Forum About us «Doctor Web» company news (RSS channel)

Several variants of Mydoom distributed globally

The end of the workweek saw the emergence of the four variants from the notorious MyDoom family. The distribution of several modifications of the same virus at once suggests the virus writers exploit the Web users to perfect their skills for future more serious threat release, as it was, for example, in case with Beagle.

It seems like virus creators are in search for new jobs. Anyhow, the line embedded into the viral body of the first of the MyDooms says exactly about it.

    We searching 4 work in AV industry.

All four MyDom offsprings resemble of twins, with only minor distinctions between them. Traditionally, the sender’s address is spoofed by the worm. The sender’s name is a combination of a commonplace name and surname and can be “Parker", "Adams", "Rodriguez", "Michael" etc. The senders’ s domain name is selected from cox.net yahoo.com, @msn.com, @yahoo.co.uk, @t-online.de, @gmx.net, @hotmail.com, @aol.com, @mail.com, @dailymail.co.uk.

The subjects present the coming message sometimes as if it is a screen saver (screensaverlol!), sometimes as if a cleaning utility against some virus (Virus removal tool), sometimes they threaten legitimate users their computers got infected - You are infected by virus. Run this exe apply this patch! apply patch.

As usual, the titles of the most message are neutral in order not to arouse a slightest suspicion that an infection is hidden inside:

    See the file.
    See attached file for details.
    Monthly news report.
To more confuse the recipients of such messages most of them bear signatures of known antivirus companies.

Remember, antivirus companies never distribute cleaning utilities against viruses via email! Dr.Web® antivirus program has its own embedded curing mechanism of the infected system and special curing utilities have never been produced.

The attachments names are quite trivial and may sound like «antivirus.exe», «patch.exe», «new.exe», «photo.exe», «bill.zip». Their extensions can be .exe, src, or .zip. Some attachments have double extensions with multiple blanks between them, for example,

    Message.html          .pif
    mesg.rtf        .pif
The first extension has the aim to make a false feeling the enclosed file is harmless while the secondary attachment following the first one, which can be .doc, rtf, or html, explicitly signifies the attachment contains an executable file. Still, in most cases users do not see this extension, as it is not displayed by default.

Having penetrated a system the virus, first of all, tries to send its copies via email using mail addresses harvested in the infected machine. It is a really mass distribution, as the worms create several parallel threads in order to establish connection with SMTP-server the name of which can be found on the system and to send messages with the infected attachments to a large list of recipients.

To secure their future launches at every system startup the worms make their copies in the System folder and write themselves to Start Menu\Programs\Startup\ \USERPROFILE. When in a system, they download from the Internet and run in the computer files which are Trojanized utilities, enabling malefactors to gain a remote access to infected PCs. See, for example, the list of correspondent URLs from the Win32.HLLM.MyDoom.34816 body. 

http://www.mer.....s.de/html/content/guestbook/data/data2.dat
http://69.93....6/blood.gif   http://64.40.98.94/icon/icon.exe
http://www......it/forumBB/postmsg.gif
http://www.......com/adclik/click.dat
http://www.ma.....work.com/heyyo/wassup/00000008.cgi
Curiously, but even two days after the appearance of the worm some of these URLs are still active and are atill the source of Trojan programs (detected by Dr.Web® as Trojan.MulDrop.973).

All new MyDoom variants of this week have been immediately added to Dr.Web® virus definition database. In case of infection launching Dr.Web antivirus scanner allows to neutralize the worms and to delete them from systems. SpiderMail antivirus mail filter will prevent a mass distribution of infected messages even before the virus base is updated on the infected computer.


     Other news

2008-09-05Doctor Web against extortion
2008-09-04One of the key players of Telecom market in Smolensk adopts Dr.Web AV-Desk
2008-09-02Subscribers of leading ISP in Belgorod shielded by Dr.Web AV-Desk
2008-09-01August virus activity review from Doctor Web
2008-08-28Intersvyaz starts public testing of the Dr.Web anti-virus service
2008-08-25Leading Russian manufacturer of weapons chooses Dr.Web
2008-08-22Comprehensive protection from Dr.Web for subscribers of Teleos-1
2008-08-19Improved version of GUI-scanner for Dr.Web for Windows released
2008-08-18Dr.Web for Windows standard of anti-virus protection for executive bodies of Permskiy Kray
2008-08-13Doctor Web has released a free decryption utility to counteract the new extortion Trojan.Encoder.19
2008-08-13Dr.Web AV-Desk anti-virus covering for subscribers of Bashinformsvyaz
2008-08-08Doctor Web: statement on Virus Bulletin comparative reviews
2008-08-08Telnet secures its subscribers with Dr.Web anti-virus
2008-08-05July 2008 virus activity review by Doctor Web
2008-08-01Dr.Web AV-Desk now in Ulyanovsk region
2008-07-31Dr.Web AV-Desk deployment summary by Eltel
2008-07-31Dr.Web AV-Desk moves on in Moscow region
2008-07-24Three regions of Moscow protected by Dr.Web AV-Desk
2008-07-23Doctor Web releases new LinkChecker for Mozilla Firefox
2008-07-22Dr.Web AV-Desk chosen by ISP "Hazynet" in Krasnoyarsk
2008-07-18Doctor Web, Ltd. releases Active Directory installer for Dr.Web Enterprise Suite 4.44.3
2008-07-16Dr.Web anti-virus now accessible to subscribers of Infocentre
2008-07-16Doctor Web launches the beta-testing of Dr.Web for MIMEsweeper
2008-07-15Anti-virus protection is delivered to subscribers of Lintecs by Dr.Web AV-Desk
2008-07-15”Nauka-Sviaz” deployed Dr.Web AV-Desk
2008-07-15Dr.Web AV-Desk adopted by three ISPs in Krasnoyarsk
2008-07-15Dr.Web will protect Internet users of GlavSET
2008-07-14Dr.Web anti-virus is the new service for subscribers of SZT
2008-07-14Dr.Web AV-Desk deployed by MajaNet in Estonia
2008-07-12Dr.Web AV-Desk will secure networks of Maginfo
2008-07-11Corrected verson of Dr.Web SpIDer Guard 4.44 released
2008-07-11Dr.Web for IBM Lotus Domino validated by IBM
   Information



   My five cents
 
What is the screen size of your monitor?

12''
14''
15''
17''
19''
more than 19''
other


Doctor Web, Ltd. © 2008 Doctor Web, Ltd. - a Russian company developing and distributing Dr.Web® Anti-virus solutions.
Our customers can be found among home users from all regions of the world and in large enterprises, small companies and nationwide corporations. We thank all of them for support and long-term devotion to our product. State certificates and awards received by the Dr.Web Anti-virus, as well as the geography of our users are the best evidence of exceptional trust to the products created by the talented Russian programmers.