2/21: MyDoom-BE Worm Harvests Addresses

2/21: MyDoom-BE Worm Harvests Addresses
February 21, 2005

W32/Mydoom.be@MM is a variant of W32/Mydoom that is similar to previous variants. It bears the following characteristics:

mass-mailing worm constructing messages using its own SMTP engine

harvests email addresses from the victim machine

spoofs the From: address

downloads the BackDoor-CEB.f trojan

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected.

Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:

mailer-daemon@(target_domain)

noreply@(target_domain)

postmaster@(target_domain)

The following display names are used in this case:

"Postmaster"

"Mail Administrator"

"Automatic Email Delivery Software"

"Post Office"

"The Post Office"

"Bounced mail"

"Returned mail"

"MAILER-DAEMON"

"Mail Delivery Subsystem"

Subject:
The following subjects are used:

hello

error

status

test

report

delivery failed

Message could not be delivered

Mail System Error - Returned Mail

Delivery reports about your e-mail

Returned mail: see transcript for details

Returned mail: Data format error

Body:
The virus constructs messages from pools of strings it carries in its body.

Attachment:
The attachment may be an EXE file with one of the following extensions:

EXE

COM

SCR

PIF

BAT

CMD

It may also be a copy of the worm within a ZIP file (may be doubly ZIPped). In this case the extension is:

ZIP

More information can be found at McAfee page.