DAWN Ontario: DisAbled Women's Network Ontario

Technology Info, Tips, FAQs
You Can Use

Virus Information

New Worm Virus Alert
W32.Mydoom.AX@mm

Virus Alert - February 18, 2005

 

A new version of the Mydoom worm is now in circulation. W32.Mydoom.AX@mm is a mass-mailing worm that uses its own SMTP engine to send email to addresses that it retrieves from the Windows Address Book on the infected computer. If affects all versions of Windows.

This new worm has the following characteristics.

From: (the From address will be "Spoofed")

The + using the following display names at various domains:

  • "Postmaster"
  • "Mail Administrator"
  • "Automatic Email Delivery Software"
  • "Post Office"
  • "The Post Office"
  • "Bounced mail"
  • "Returned mail"
  • "MAILER-DAEMON"
  • "Mail Delivery Subsystem"


Subject:

  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error delivered


Message Body:

The text varies. One of each of the phrases or words in brackets, separated by a " | ", will appear as:

Dear user {[recipient's email address]|of [recipient's email domain]},{ {{M|m}ail {system|server} administrator|administration} of [recipient's email domain]
would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{
commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a
{trojan{ed|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{[recipient's email domain] {user |technical |}support team.|The [recipient's email domain] {support |}team.}

{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|server} was
{not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message {was not|could not be} delivered within [random number] days:
{{{Mail s|S}erver}|Host} [host used to send the email]} is not responding.
The following recipients {did|could} not receive this message:
[[recipient's email address]]
Please reply to postmaster@{[sender's email domain]|[recipient's email domain]}
if you feel this message to be in error.
The original message was received at [current time]{
| }from {[sender's email domain] ]|{[host used to send the email]]|]}}
----- The following addresses had permanent fatal errors -----
{[[recipient's email address]]|[recipient's email address]}
{----- Transcript of {the ||}session follows -----
... while talking to {host |{mail |}server ||||}{[recipient's email domain].|[host used to send the email]]}:
{]]] MAIL F{rom|ROM}:[From address of mail]
[[[ 50$d {[From address of mail]... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 [[recipient's email address]]... {Mail quota
exceeded|Message is too
large}
554 [[recipient's email address]]... Service unavailable|550 5.1.2 [[recipient's email address]]... Host unknown (Name server: host not found)|554 {5.0.0
|}Service unavailable; ] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|}
Session aborted{, reason: lost connection|}|]]] RCPT To:[[recipient's email address]]
[[[ 550 {MAILBOX NOT FOUND|5.1.1 [[recipient's email address]]... {User unknown|Invalid recipient|Not known here}}|]]] DATA
{[[[ 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
|}{[[[ 400-aturner; -RMS-E-CRE, ACP file create failed
|}{[[[ 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
|}[[[ 400}|}

The original message was included as an attachment.

{{The|Your} m|M}essage could not be delivered


Attachment:

Uses a filename generated from an email address that it finds on the compromised computer or one of the following...

  • ATTACHMENT
  • DOCUMENT
  • FILE
  • INSTRUCTION
  • LETTER
  • MAIL
  • MESSAGE
  • README
  • TEXT
  • TRANSCRIPT

... using one of the following extensions:

.bat
.cmd
.com
.exe
.pif
.scr
.zip

Note: If the attachment is a .zip file, a copy of the worm will be contained within. The attachment may also be zipped twice.


More details, including a removal tool, can be found at this pinpoint URL http://www.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html .

Please delete such messages without opening it.

If you haven't already done so, please update your AntiVirus software.

back to Technology Content Index

 

Return to DAWN Ontario

Events Calendar
events, conferences etc

Featured News & Alerts

What's New
additions to the site indexed daily

Contact Us

Sign our Guestbook!


Website created & maintained
courtesy of Barbara Anello

DAWN Ontario
Box 1138 North Bay, ON P1B 8K4