This week’s report on viruses and intruders looks at two worms from the same family -Mydoom.S and Mydoom.R-, and a closely linked backdoor Trojan: Surila.B.
The S and R variants of MyDoom have the following characteristics, among others, in common:
– They spread via email in a message with the subject “photos” and include an attachment called “PHOTOS_ARC.EXE”. When the user runs this file, they download and run a backdoor Trojan detected by Panda Software as, Surila.B.
– They open and listen on various ports, in order to allow an attacker to access and interfere with the computer (compromising the confidentiality of users’ data or impeding normal use of the computer).
– They prevent users from accessing the web pages of certain antivirus companies.
– They create the mutex: 43jfds93872, to make sure that there is no more than one copy of the worm running at the same time.
– They search files with the following extensions: ADB, ASP, DBX, HTM, PHP, PL, SHT, TBB, TXT or WAB-, looking for email addresses containing certain text strings, if they find them, the Mydoom variants use their own SMTP engine to send copies of themselves to these addresses.
The differences between Mydoom.S and Mydoom.R include the size of the file they are hidden in, and the size of the file RASOR38A.DLL (which they create on the infected computer).
Today’s report ends with Surila.B. As mentioned above, this is a backdoor Trojan downloaded and run by Mydoom.S and Mydoom.R.
Surila.B affects computers with Windows 2003/XP/2000/NT, allowing attackers to access and interfere with them, for example sending spam with a false sender address. To do this, it has a list of false names and surnames which it combines with one of the following mail domains: aol.com, gmx.net, hotmail.com, mail.com, msn.com, t-online.de, yahoo.co.uk and yahoo.com.