Monday, August 09, 2004

New Viruses Reported: MyDoom .O & My Doom .P

- Weekly report on viruses and intruders -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, August 6 2004 - This week's report on viruses and intruders looks at three worms -Mydoom.P, Mydoom.O and Amus.A-, and two Trojans called Downloader.OG and Brador.A.

Mydoom.P spreads via email in a message that simulates an error messages. Every five seconds the worm checks to see if in the memory there are any active processes with the text strings av, AV, can, cc, ecur, erve, iru,java, KV, mc, Mc, nti, nv, ort, scn, SkyNet, sss, sym, Sym, uba and xp.exe.

If so, Mydoom.P will terminate the process. Sometimes, the first time the worm is executed it opens Notepad.

Mydoom.P tries to use the two methods below in order to collect email addresses:- Searching in all files with any of the following extensions: ADB, ASP,CFG, DBX, DHTM, EML, HTM, HTML, JS, JSE, JSP, MMF, MSG, ODS, PHP, PL, SHT, SHTM, SHTML, TBB, TXT, WAB and XML.- Making HTTP requests to the email.people.yahoo.com website, to use the people search feature in Yahoo mail.

Mydoom.O spreads via an email with variable characteristics. It installs a file that opens and listens on backdoor in TCP port 1034. This can give access to the compromised computer, though which confidential data can bes tolen or users' can be prevented from using the computer properly.

The third worm we're looking at today is Amus.A, which uses its own SMTP engine to spread via email. It creates several copies of itself and a registry entry in the computer to ensure it is run every time Windows startsup. Sometimes, Amus.A can create a small white square in the top left-handcorner of the desktop.

The first Trojan in today's report is Brador.A, which affects PDAs (PersonalDigital Assistant) running the Windows CE operating system. Its actions include opening a port that allows outside connections, and copying itself-as Svchost.exe- to the Start directory. When Brador.A affects a system it sends its creator a message saying that the device is available.

We finish of today's edition with Downloader.OG, a Trojan which periodically installs the adware Adware/Wupd, downoading it from a series of predetermined websites. Downloader.OG also creates on the victim's computer-in the Windows system directory- the BRIDGEX.DLL, file which is really acopy of itself.

For further information about these and other computer threats, visit PandaSoftware's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Backdoor: a backdoor can be used to allow an attacker to take control of a computer without the user's knowledge.

- Download: This is the process of obtaining files from the Internet (fromWeb pages or FTP sites set up specifically for that purpose).

More technical definitions at:http://www.pandasoftware.com/virus_info/glossary/default.aspx