The Web    Google
2/22: MyDoom-BF Worm Sends Mass Emails

2/22: MyDoom-BF Worm Sends Mass Emails
February 22, 2005

W32/ is another variant of the W32/Mydoom worm and is similar to previous variants. bears the following characteristics:

  • mass-mailing worm constructing messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address
  • downloads the BackDoor-CEB.f trojan

    From: (spoofed From: header)
    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:

  • mailer-daemon@(target_domain)
  • noreply@(target_domain)
  • postmaster@(target_domain)

    The following display names are used in this case:

  • "Postmaster"
  • "Mail Administrator"
  • "Automatic Email Delivery Software"
  • "Post Office"
  • "The Post Office"
  • "Bounced mail"
  • "Returned mail"
  • "Mail Delivery Subsystem"

    The following subjects are used:

  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error

    The virus constructs messages from pools of strings it carries in its body.

    The attachment may be an EXE file with one of the following extensions:

  • EXE
  • COM
  • SCR
  • PIF
  • BAT
  • CMD

    It may also be a copy of the worm within a ZIP file (may be doubly ZIPped). In this case the extension is:

  • ZIP

    The attachment may use the target email address name as the filename, in addition to the following:

  • MAIL
  • FILE
  • TEXT

    The attachment may use a double extension, and there may be multiple spaces inserted between the file extensions to deceive users.

    View an example email message and other information at McAfee page.

  • 11/8: Trojan.Beagooz Collects Addresses
  • 10/29: Beagle@mm!CPL Detects Worms
  • House Renews Anti-Spyware Push
  • 5/2: Sober-S Worm a 'Medium Threat'
  • AppRadar Supports Intrusion Detection for Enterprise Databases
  • Corporate Data Leaks Spur Interest in Storage Security
  • 4/15: Trojan.Esteems Steals Private Info
  • 4/11: Mytob-AG Sends Copy of Itself
  • Cisco Warns of Voice Product Security Flaws
  • 1/4: Sdbot-AI Worm/Trojan Lets Hackers In
  • SAML Just The Start For Web Services Security
  • Discussion on Security Camera