W32/Mydoom.f@MM Last Updated 2/24/04 10:00am

CIT was notified of a new variant of W32/Mydoom@MM email virus called W32/Mydoom.f@MM. The mass-mailing worm, with a self contained SMTP engine opens a backdoor component on TCP port 1080. The virus copies itself to local shares and mapped drives. File extensions .bmp, .avi, .jpg, .sav, .xls, .doc, mdb are targeted and deleted. If the infected system's date is between 17th and 22nd of any month, the worm will perform a denial of service attack against www.microsoft.com and www.riaa.com.

In email form, W32/Mydoom.f@MM appears as follows:

From:(spoofed)

Subject:(one of the following)

• (Blank)
• Announcement
• ApprovedNews
• Attention
• automatic responder
• Bug
• Current Status
• EXPIRED ACCOUNT
• For your information
• hello
• hi, it's me
• hi
• IMPORTANT
• Information Warning
• Love is Love is...
• Please read
• Please reply
• Re: Approved
• Re: Thank You
• Re:
• Read it immediately
• read now!
• Read this
• Readme
• Recent news
• Recent news
• Something for you
• Undeliverable message
• Unknown
• You have 1 day left
• You use illegal File Sharing...
• Your IP was logged
• Your account is about to be expired
• Your credit card
• Your order is being processed
• Your order was registered
• Your request is being processed
• Your request was registered

Message:(Varies)

• Check the attached document.
• Details are in the attached document. You need Microsoft Office to open it.
• Greetings
• Here is the document.
• Here it is
• I have your password :)
• I wait for your reply.
• I'm waiting Okay
• I'm waiting
• Information about you
• Is that from you?
• Is that yours?
• Kill the writer of this document!
• OK Everything ok?
• Please see the attached file for details
• Please, reply
• Read the details.
• Reply
• See the attached file for details
• See you Here it is
• See you
• Something about you
• Take it
• The document was sent in compressed format.
• We have received this document from your e-mail.
• You are a bad writer
• You are bad

Attachment: (ZIP file with double extensions like .doc.com, .rtf.bat, .txt.cmd) 34,568 bytes

• creditcard
• creditcard
• details
• mail
• notes
• part1
• paypal
• photo
• textfile
• vpf
• website
• %random characters%.zip

Appears as if the attachment is a text file

For more information:

http://vil.nai.com/vil/content/v_101038.htm from NAI.
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.f@mm.html from Symantec.

NAI released Dat/SuperDat 4327 to detect and remove W32/Mydoom.f@MM. The 4327 DAT/SuperDat is now available.

Symantec released new definitions dated 2/23/04. The current definitions are available through the LiveUpdate feature of Symantec Antivirus.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.