|
Description:
Like earlier MYDOOM variants, this worm spreads via email through SMTP (Simple Mail Transfer Protocol), gathering target recipients from the Windows Address Book, the Temporary Internet Files folder, and certain fixed drives. Notably, it skips email addresses that contain certain strings.
When it finds an email address, it gets the domain name of that email address and queries the following search engines to search for email addresses in the same domain:
- http://search.lycos.com
- http://www.altavista.com
- http://search.yahoo.com
- http://www.google.com
It does this to gather more and more addresses to spam.
Using social engineering techniques, this worm sends out an email with a spoofed sender's name and poses as a failure delivery notification.
Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.
The email message it sends has varying subjects, message bodies, and attachment file names. For specific details about this worm's email message, please click here.
Apart from simply spreading via email, this worm also carries backdoor functionalities that leaves the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens TCP port 1034 and waits for outside connections. This routine virtually hands over control of the affected machine to a remote attacker.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 26, 2004 7:12:15 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
