Computer Associates International, Inc. has raised the threat assessment for the Win32.Mydoom-AU (also known as Mydoom BB and Mydoom-AW) variant to high. This is because of the pervasiveness of the variant and its ability to download the Win32.Gavvo trojan, and recruit the infected machine into a Zombie network for further destruction.
“The variant knocking at the front door is fairly familiar, but it is leaving the backdoor open to something much more sinister,” said Simon Perry, senior vice president, eTrust Security Management. “Over the last 18 months we have seen a general trend toward the creation of zombie or slave-machine armies, used to create further attacks against the Internet at large, such as spam or denial of service attacks. For that reason, we want Internet users to be extra vigilant and are raising the threat assessment to high.”
Win32.Mydoom-AU is a worm that spreads via e-mail, searching an infected computer’s hard drive for email addresses and then uses major search engines such as Lycos, Altavista, Yahoo and Google to harvest additional addresses in the same domain as the infected computer.
The worm also creates a mutex to ensure only one copy of the worm runs at a time. The mutex name is generated by combining the affected machine’s name with the string “root” repeated multiple times.
The worm arrives attached to an e-mail with a variable Subject and Message Body. It decides on the variable name and file extension by utilizing the user’s email address and domain. This appeals to the user because it appears to be a personalized message. It exploits information about the user’s email address and domain in the message, while enticing the user to open the message, ultimately infecting them.
The Subject line may be randomly generated or include one of the following:
hello, hi, error, status, test, report, delivery failed, Message could not be delivered, Mail System Error - Returned Mail, Delivery reports about your e-mail, Returned mail: see transcript for details or Returned mail: Data format error
The worm attempts to close windows with these names:
rctrl_renwnd32, ATH_Note and IEFrame
It also downloads and executes arbitrary files from a web site.
CA urges users to update their anti-virus protection with the latest signatures.