The Web    Google
9/9: Mydoom-U Worm Packed with UPX

9/9: Mydoom-U Worm Packed with UPX
September 9, 2004

W32/Mydoom.u@MM is a new variant of the Mydoom worm and is packed with UPX. It bears the following characteristics:

  • contains its own SMTP engine for constructing messages
  • harvests target email addresses from the victim machine
  • forges the From: header of outgoing messages
  • downloads BackDoor-CEB.c over HTTP

    From: (spoofed From: header)

    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    The from address is either one of the harvested addresses or constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie.

    More information is at McAfee page.

    According to Panda Software, which also issued an alert, Mydoom.U is a worm that connects to several web sites in order to download a file belonging to a backdoor. Mydoom.U spreads via e-mail in a message with variable characteristics.

    Technical details are at this Panda Software page.

  • 8/3: MyDoom-Q Arrives in the Wild
  • 7/20: Mydoom.L@mm a Mass-Mailing Worm
  • Check Point Adds Application Protection To Firewall
  • AOL Offers Top 10 Spam List to Aid in Battle
  • NIKSUN offers a security camera for your network
  • 5/13: Sqdrop-A a Dropper Trojan
  • 3/11: Ruzes-A Trojan Grabs Email Addresses
  • 2/25: Kelvir-A an Instant Messaging Worm
  • 5/17: Vidlo-J a Downloading Trojan
  • 2/25: Randex-CST Worm Targets Passwords
  • 3/4: Rbot-WV Worm Uses Bad Passwords
  • Home Security Camera Background