The Web    Google
8/2: MyDoom-P Sends Spoofed Emails

8/2: MyDoom-P Sends Spoofed Emails
August 2, 2004

W32/Mydoom.p@MM is a new variant of W32/Mydoom that is packed with ASPack. The dropped SERVICES.EXE is the same binary W32/Mydoom.o@MM uses. The behavior is similar to W32/Mydoom.o@MM and bears the following characteristics:

  • mass-mailing worm constructing messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address
  • contains a peer to peer propagation routine

    From: (spoofed From: header)
    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:,p>

  • mailer-daemon@(target_domain)
  • noreply@(target_domain)

    More information is at McAfee page.

  • Sun Plays New Security Card with VeriSign
  • Security Flaw Found In Sun Solaris Servers
  • 1/27: Rbot-AIX Worm Has Backdoor Functions
  • Microsoft Patches 'Critical' ASN.1 Vulnerability
  • Bagle-AA Moves Maliciously into 3rd Place
  • Meta Group Slams Wireless LAN Suppliers on Security
  • KaVaDo Updates Application Security Software
  • Symantec Beefs Up Security Appliance Line with 5400 Series
  • 4/4: VBS.Kuullio Worm Sends Emails
  • 12/13: Janx Worm Exploits Windows Flaw
  • How hacking has entered the age of mass production.
  • Security Camera Product