Symantec Security Response - Tue, 27 July 2004
Symantec Security Response has identified a new variant of the Mydoom worm -- W32.Mydoom.M@mm. The worm was discovered
today, July 26, and Symantec has upgraded this threat to a Level 4 (Level 5 being the most severe) due to increased
submission rates.
At this time, Symantec has received a total of 728 submissions -- 129 of which are corporate submissions. Symantec's
DeepSight Threat Analyst Team has also increased the ThreatCon to a Level 2 (Level 4 being the most severe). The
Symantec ThreatCon provides a digital forecast of Internet activity, and a Level 2 rating signifies increased alertness.
W32.Mydoom.M@mm is a mass-mailing worm that opens a back door -- Backdoor.Zincite.A -- on port 1034/tcp and uses its own
SMTP engine to spread through e-mail. If a machine becomes infected with W32.Mydoom.M@mm, it will allow the attacker to
have remote, unauthorized access to the machine.
It will gather email addresses from files with .doc, .txt., .htm, and .html extensions. It will also query
search.lycos.com, search.yahoo.com, www.altavista.com, and www.google.com to harvest additional e-mail addresses for
possible distribution. When the worm finds an open Outlook window, it will attempt to send itself to the e-mail
addresses it has found. This mass mailing may clog mail servers and downgrade system performance.
The worm's attachment will have a .cmd, .bat, .com, .exe, .pif, .scr, or .zip file extension, but the name of the
attachment will vary. The From address will be spoofed, and the subject and body of the message will also vary (visit
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.ht ml for more details).
Symantec Security Response recommends that IT administrators filter attachments that are not on a list of approved types
at the e-mail gateway and apply the Outlook E-mail Security Update (Q262631) in order to block user access to certain
attachment types. This update will also notify the user of applications attempting to access the Outlook address book.
"As with past variants of Mydoom, both consumer and business computers can be affected by W32.Mydoom.M@mm," said Vincent
Weafer, senior director, Symantec Security Response. "Due to its mass-mailing capabilities, W32.Mydoom.M@mm is spreading
rapidly. In order to be fully protected, all users should take necessary steps to protect their systems, such as
installing security patches, having up-to-date virus definitions, and refraining from opening attachments or suspicious
e-mails."
ENDS