Weekly Report On Viruses And Intruders – Four Variants of Mydoom
Today’s report deals with seven worms -four variants of Mydoom (T, U, V and W), Mywife.D, Mywife.C and Sdbot.AQA- and two adware programs called Neededware and WUpd.
Mydoom.T, Mydoom.U, Mydoom.V and Mydoom.W spread in emails with variable characteristics. The ‘T’ variant also uses the KazaA P2P program to propagate, making copies of itself with enticing names in the application’s shared folder.
The U, V and W variants of Mydoom connect to several websites, from which they try to download a file -a Backdoor Trojan-, and install it on the computer. Mydoom.T opens the Notepad application and displays garbled text.
The next worms we’ll look at in this report are Mywife.D and Mywife.C, which also spread via email in a message with variable characteristics. Both of these viruses also share the following features:
– Some seconds after they are run they block the computer, as they consume all available processor time.
– They delete the files belonging to several antivirus programs, if they are installed in the same directories as the ones specified in the worms’ code. They also delete entries in the Windows Registry belonging to these antivirus programs, so these applications will not be run automatically the next time Windows is started. They also attempt to search and end the processes belonging to antivirus and computer security programs. This would leave the affected computer vulnerable to attacks from other malware.
– They also delete the entries belonging to other worms, such as Mydoom.A, Mimail.T and several variants of Bagle.
– They open Windows Media Player.
The last worm in this report is Sdbot.AQA, which spreads across computer networks. It does this by checking if the PC it has infected is connected to a network. If that is the case, it attempts to access and copy itself to shared resources, by trying typical or simple passwords.
Sdbot.AQA allows hackers to gain remote access to the affected computer in order to carry out actions that compromise user confidentiality or prevent the computer from working properly. Sdbot.AQA uses its own IRC client in order to join an IRC channel and accept remote control commands, such as launching Denial of Service (DoS) attacks against websites. It can also download and run files on the affected computer.
Today’s report ends with Neededware and WUpd, two adware programs that allow programs to be downloaded and run without users’ consent. It is easy to tell whether these programs are on your computer, as they display advertising messages. WUpd also monitors users’ Internet activity, and uses the results to determine which adverts are displayed.