1. /
  2. Security Response/
  3. W32.Mydoom.A@mm

W32.Mydoom.A@mm

Risk Level 2: Low

Discovered:
January 26, 2004
Updated:
February 13, 2007 12:16:57 PM
Also Known As:
W32.Novarg.A@mm, W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], Win32.Mydoom.A [Computer Assoc, W32/Mydoom-A [Sophos], I-Worm.Novarg [Kaspersky]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 3 to a Category 2 rating as of March 30, 2004.

W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

In addition, the backdoor can download and execute arbitrary files.

There is a 25% chance that a computer infected by the worm will perform a Denial of Service (DoS) on February 1, 2004 starting at 16:09:18 UTC, which is also the same as 08:09:18 PST, based on the machine's local system date/time. If the worm does start the DoS attack, it will not mass mail itself. It also has a trigger date to stop spreading/DoS-attacking on February 12, 2004. While the worm will stop on February 12, 2004, the backdoor component will continue to function after this date.


Notes:
  • Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
  • Virus definitions dated prior to February 4, 2004 will detect this threat as W32.Novarg.A@mm.





When W32.Mydoom.A@mm sends email, it avoids distributing to the domains that contain any of the following strings:
  • avp
  • syma
  • icrosof
  • msn.
  • hotmail
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • .gov
  • gov.
  • .mil
  • foo.
  • berkeley
  • unix
  • math
  • bsd
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla


    accounts that match any of the following strings:
  • root
  • info
  • samples
  • postmaster
  • webmaster
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • me
  • bugs
  • rating
  • site
  • contact
  • soft
  • no
  • somebody
  • privacy
  • service
  • help
  • not
  • submit
  • feste
  • ca
  • gold-certs
  • the.bat
  • page


    or accounts that contain any of the following strings:
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun


The worm also prepends any of the following names to the domain name obtained:
  • adam
  • alex
  • alice
  • andrew
  • anna
  • bill
  • bob
  • brenda
  • brent
  • brian
  • claudia
  • dan
  • dave
  • david
  • debby
  • fred
  • george
  • helen
  • jack
  • james
  • jane
  • jerry
  • jim
  • jimmy
  • joe
  • john
  • jose
  • julie
  • kevin
  • leo
  • linda
  • maria
  • mary
  • matt
  • michael
  • mike
  • peter
  • ray
  • robert
  • sam
  • sandra
  • serg
  • smith
  • stan
  • steve
  • ted
  • tom


Antivirus Protection Dates

  • Initial Rapid Release version January 26, 2004
  • Latest Rapid Release version November 26, 2012 revision 002
  • Initial Daily Certified version January 26, 2004
  • Latest Daily Certified version November 26, 2012 revision 009
  • Initial Weekly Certified release date January 26, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Peter Ferrie

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver