Symantec Security Response 27 July 2004
Symantec Security Response - Tue, 27 July 2004
Symantec Security Response has identified a new variant of the Mydoom worm -- W32.Mydoom.M@mm. The worm was discovered today, July 26, and Symantec has upgraded this threat to a Level 4 (Level 5 being the most severe) due to increased submission rates.
At this time, Symantec has received a total of 728 submissions -- 129 of which are corporate submissions. Symantec's DeepSight Threat Analyst Team has also increased the ThreatCon to a Level 2 (Level 4 being the most severe). The Symantec ThreatCon provides a digital forecast of Internet activity, and a Level 2 rating signifies increased alertness.
W32.Mydoom.M@mm is a mass-mailing worm that opens a back door -- Backdoor.Zincite.A -- on port 1034/tcp and uses its own SMTP engine to spread through e-mail. If a machine becomes infected with W32.Mydoom.M@mm, it will allow the attacker to have remote, unauthorized access to the machine.
It will gather email addresses from files with .doc, .txt., .htm, and .html extensions. It will also query search.lycos.com, search.yahoo.com, www.altavista.com, and www.google.com to harvest additional e-mail addresses for possible distribution. When the worm finds an open Outlook window, it will attempt to send itself to the e-mail addresses it has found. This mass mailing may clog mail servers and downgrade system performance.
The worm's attachment will have a .cmd, .bat, .com, .exe, .pif, .scr, or .zip file extension, but the name of the attachment will vary. The From address will be spoofed, and the subject and body of the message will also vary (visit http://firstname.lastname@example.org ml for more details).
Symantec Security Response recommends that IT administrators filter attachments that are not on a list of approved types at the e-mail gateway and apply the Outlook E-mail Security Update (Q262631) in order to block user access to certain attachment types. This update will also notify the user of applications attempting to access the Outlook address book.
"As with past variants of Mydoom, both consumer and business computers can be affected by W32.Mydoom.M@mm," said Vincent Weafer, senior director, Symantec Security Response. "Due to its mass-mailing capabilities, W32.Mydoom.M@mm is spreading rapidly. In order to be fully protected, all users should take necessary steps to protect their systems, such as installing security patches, having up-to-date virus definitions, and refraining from opening attachments or suspicious e-mails."