W32/Mydoom.U Worm

 Information about the W32/Mydoom.U Worm:

W32/Mydoom.U is an email worm. This worm is a variant of W32/Mydoom Worm. The worm will infect Windows systems. The worm spreads through email and attempts to download a backdoor.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The worm arrives with any one of the following subject:

<empty>
hi
Hi!
my
here
hello
News
Re: Hi
thanks!
You win!
Re: Hello
important
Re: Status
Thank you!
Information
Re: Message
Notice again
Re: Question
Private document
Re: Your document
read it immediately
Re: Proof of concept

The body of the infected mail will be a combination of Part A and Part B:

Part A:

<empty>
lol!
fun!
relax
game
fun game!
New game
fun photos
See the file.
apply patch.
Please confirm!
screensaverlol!
Virus removal tool
Can you confirm it?
Monthly news report.
Please answer quickly!
Waiting for a Response.
Your archive is attached.
You are infected by virus.
Please read the document.
I have attached document.
See attached file for details.
Please confirm the document.
Please read the attached file.
Please read the attached file!
Run this exe apply this patch!
Please read the attachment. Thanks!
Please read the important document.
For more details see the attachment.
For further details see the attachment.
Please see the attached file for details
Your requested mail has been attached.

Part B:

Norman AntiVirus - www.norman.com
Norton AntiVirus - www.symantec.de
MC-Afee AntiVirus - www.mcafee.com
F-Secure AntiVirus - www.f-secure.com
Panda AntiVirus - www.pandasoftware.com
Kaspersky AntiVirus - www.kaspersky.com
Bitdefender AntiVirus - www.bitdefender.com
MessageLabs AntiVirus - www.messagelabs.com

The name of the infected attachment will be any one of the following;

doc
file
text
test
data
body
readme
messge
document

The extension of the infected attachment will be any one of the following;

pif
zip
bat
scr
exe
cmd

Upon execution, the worm copies itself as WINSPF32.EXE on to the Windows System32 folder.

It also alters the windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

eml
dht
dbx
cgi
xls
wab
vbs
sht
php
msg
mht
jsp
htm
cfg
asp
uin
txt
tbb
stm

The worm attempts to download a backdoor from any of these websites;

http://www.ach.ch/
http://vugs.geog.uu.nl/
http://www.llc.unibo.it/
http://guttorm.hveem.no/
http://www.mercyships.de/
http://www.planetboredom.net/
http://www.hiw.kuleuven.ac.be/
http://www.surrenderzeeland.nl/

This worm first appeared on 09th September, 2004.

 Other names of W32/Mydoom.U Worm:

This Worm is also known as WORM_MYDOOM.U, W32/Mydoom.u@MM, Mydoom.U, W32/Mydoom.U.worm.