The Web    Google
9/9: Mydoom-U Worm Packed with UPX

9/9: Mydoom-U Worm Packed with UPX
September 9, 2004

W32/Mydoom.u@MM is a new variant of the Mydoom worm and is packed with UPX. It bears the following characteristics:

  • contains its own SMTP engine for constructing messages
  • harvests target email addresses from the victim machine
  • forges the From: header of outgoing messages
  • downloads BackDoor-CEB.c over HTTP

    From: (spoofed From: header)

    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    The from address is either one of the harvested addresses or constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie.

    More information is at McAfee page.

    According to Panda Software, which also issued an alert, Mydoom.U is a worm that connects to several web sites in order to download a file belonging to a backdoor. Mydoom.U spreads via e-mail in a message with variable characteristics.

    Technical details are at this Panda Software page.

  • 7/1: PWSteal.Refest Steals Banking Info
  • 2/18: Poebot-H Worm Hits Remote Shares
  • Linux Security: Tips from the Experts
  • A New Breed of Phish
  • 1/27: Worm_Bropia-D Drops Other Malware
  • 10/28: Agobot-NU a Worm and Backdoor
  • 11/23: BackDoor-CLK Trojan Copies Itself
  • Check Point Appliances Target Small Businesses
  • Gates Sends Letter on Spam to Congress
  • AntiOnline Spotlight: Trojan Force
  • Security Flaw Found In Sun Solaris Servers
  • Security Camera Companies and products