W32.Mydoom.M@mm – Symantec Statement

Symantec Security Response has identified a new variant of the Mydoom worm — W32.Mydoom.M@mm (also being called MyDoom.O). The worm was discovered today, July 26, and Symantec has upgraded this threat to a Level 4 (Level 5 being the most severe) due to increased submission rates. W32.mydoom.m@mm is the 12th variant of the original Mydoom threat. It was first discovered at the beginning of this year.

W32.Mydoom.M@mm is a mass-mailing worm that opens a back door — Backdoor.Zincite.A — on port 1034/tcp and uses its own SMTP engine to spread through e-mail. If a machine becomes infected with W32.Mydoom.M@mm, it will allow the attacker to have remote, unauthorised access to the machine. It will gather email addresses from files with .doc, .txt., .htm, and .html extensions. It will also query search.lycos.com, search.yahoo.com, www.altavista.com, and www.google.com to harvest additional e-mail addresses for possible distribution. When the worm finds an open Outlook window, it will attempt to send itself to the e-mail addresses it has found. This mass mailing may clog mail servers and downgrade system performance. The worm’s attachment will have a .cmd, .bat, .com, .exe, .pif, .scr, or .zip file extension, but the name of the attachment will vary. The From address will be spoofed, and the subject and body of the message will also vary (visit http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html for more details).

Symantec Security Response recommends that IT administrators filter attachments that are not on a list of approved types at the e-mail gateway and apply the Outlook E-mail Security Update (Q262631) in order to block user access to certain attachment types. This update will also notify the user of applications attempting to access the Outlook address book.

“As with past variants of Mydoom, both consumer and business computers can be affected by W32.Mydoom.M@mm,” said Richard Archdeacon, Symantec’s security services director. “Due to its mass-mailing capabilities, W32.Mydoom.M@mm is spreading rapidly. In order to be fully protected, all users should take necessary steps to protect their systems, such as installing security patches, having up-to-date virus definitions, and refraining from opening attachments or suspicious e-mails.”

Symantec Advice
1. Don’t Panic – this is a common type of threat that we see regulary at Symantec Security Response. Symantec see about 10-15 new viruses everyday.

2. This is a variant of a known threat, which does not leave lasting damage to your computer, but will cause it to mass email from your machine – possibly causing slow performance on your computer or network. It will also open a backdoor on your computer, potentially leaving you vulnerable to further attack at a later date. It will mail out to email addresses found on your computer, and it will also attempt to harvest additional email address from the major Internet search engines.

3. Update your antivirus immediately to ensure protection, also update any other outstanding updates for your firewall and other software as a matter of precaution and as part of safe computing practice.

4. If you are not sure you should go to www.symantec.com and use the Symantec Security Checker to verify your status and provide additonal advice.

5. Further technical information and removal tools are available on the Symantec website at www.symantec.com.