Mydoom.s Early Detention in Vietnam

McAfee, Inc. has warned about the virus variants W32/Mydoom.s@MM , also known as Mydoom.s, is spreading rapidly through e-mail. In Vietnam, the Mydoom.s virus has emerged and began to spread aggressively in corporate networks this afternoon (August 16).

This new Mydoom variant is a virus that spreads via e-mail, which is hidden in an .EXE attachment called "photos_arc.exe". Currently, McAfee has received about 100 different notifications of the virus within three hours of its appearance, with most of the messages being sent from Europe and Japan.

Threats from Mydoom.s

Mydoom.s contains the propagation mechanism through the SMTP protocol to carry out the propagation to other addresses. Similar to other variants, Mydoom.s robs the e-mail address of the victim's computer, then renders the addresses from the Address Book on the computer to further bombard the star's versions. it. Mydoom.s creates an email with the spoofed sender address from the account on the infected computer, so the next email recipient is very likely to mistakenly be the friend's email and open it.

The attached file is an .EXE file named photos_arc.exe, which is quite different from other versions of Mydoom because they usually use a lot of different file extensions. Users should be cautious before every email with a title photos and delete as soon as it appears

Some initial identifications of Mydoom.s:

Sender's address From: Forgery e-mail address of a friend, may be the same in the company.

- Title: photos

Content: LOL !;))))

Analysis of destructive mechanism

After the user has been tricked and opened the attached file photos_arc.exe, Mydoom.s will copy it to the WINDOWS directory (% WinDir%) as a file. rasor38a.dll and into the SYSTEM directory (% SysDir%) under the name winpsd.exe, to perform the next infection operation. The following registry keys were added by Mydoom.s to the system to activate it at startup: & nbsp;

• KEY_CURRENT_USERSoftware MicrosoftWindows CurrentVersion ExplorerComDlg32

• HKEY_LOCAL_ MACHINESOFTWAREMicrosoft WindowsCurrentVersion ExplorerComDlg32

• HKEY_LOCAL_MACHINESOFTWARE MicrosoftWindows Current Version Run "winpsd" = C: WINDOWS System32winpsd.exe

This virus then implements the remote access component in it, with the task of listening for remote connections. In addition, it downloads a backdoor trojan to victim's machine to support other intrusion activities later.

Fix and protect your system

More information about Mydoom.s can be found at McAfee AVERT at http://vil.nai.com/vil/content/v_127616.htm . McAfee AVERT is recommending customers to upgrade 4386 DAT antivirus files to prevent Mydoom.s.

Currently, McAfee only evaluates the severity of Mydoom.s at moderate levels, (Medium). However, the popular Norton AntiVirus software has not detected Mydoom.s at the time of this virus.

According to a preliminary study of the VietNamNet Mydoom.s virus can infect as soon as the email containing it is displayed in the cell Preview Pane Outlook Express, or Microsoft Outlook.

Therefore, the user Turn off the preview pane Preview Pane by the way View / Layout in Outlook, then remove the option Show Preview Pane Go to stop Mydoom.s activation. When seen in Inbox , have the message headers deleted immediately, and constantly update the new version of the virus

BKAV 533 updated W32.MyDoom.S virus

. Download Bkav software version Bkav533 about a folder on the machine.

If you use Windows Me or XP, you must turn off the function System Restore of the operating system go.

. If your computer has installed other anti-virus programs such as NAV, McAffe must be temporary Turn off the Auto Protect function of those programs.

. Running Bkav533, Select to scan all files, all drives.

Restart computer.

Some features of the W32.MyDoom.S virus

Creating a mutex named " 43jfds93872 "to avoid executing multiple instances of the virus at the same time.

Copy itself to the Windows directory as a library file named rasor38a.dll

Check the date and time of the system, if on 20/08/2004 the virus does not spread anymore.

Check if the computer is connected to the Internet, the test cycle is 18 seconds, if the computer is connected to the Internet then the virus will download the file:

• ispy.1.jpg

• coco3.jpg

• temp578.gif

• temp728.gif

  from the following sites:

• http://www.richcolour.com

• http://zenandjuice.com

Create a value named " winpsd "and the data is" % System% winpsd.exe "in the key:

HKEY_LOCAL_MACHINE SOFTWARE Microsoft WindowsCurrent VersionRun

The virus is executed every time a user starts Windows.

Look up the mail address in the files with the following extensions:

• .htmb

• .shtl

• .phpq

• .aspd

• .dbxn

• .bbg

• .adbh

• .pl

• .wab

in drives from C to Z.

Create and send messages with the following characteristics:

Title photos

Attachments photos_arc.exe

content LOL !;))))

Sent from

• john & nbsp;

• alex & nbsp;

• michael & nbsp;

• james & nbsp;

• mike & nbsp;

• kevin & nbsp;

• david & nbsp;

• george & nbsp;

• sam & nbsp;

• andrew
  & nbsp;

• jose & nbsp;

• wool & nbsp;

• maria & nbsp;

• jim & nbsp;

• brian & nbsp;

• serg & nbsp;

• mary & nbsp;

• ray & nbsp;

• tom & nbsp;

• peter & nbsp;

• robert & nbsp;

• bob & nbsp;

• jane & nbsp;

• joe & nbsp;

• dan & nbsp;

• dave & nbsp;

• matt & nbsp;

• steve & nbsp;

• smith & nbsp;

• & nbsp;

• bill & nbsp;

• bob & nbsp;

• jack & nbsp;

• fred & nbsp;

• ted & nbsp;

• adam & nbsp;

• brent & nbsp;

• alice & nbsp;

• anna & nbsp;

• brenda & nbsp;

• claudia & nbsp;

• debby & nbsp;

• helen & nbsp;

• jerry & nbsp;

• jimmy & nbsp;

• julie & nbsp;

• linda & nbsp;

• sandra
  & nbsp;

List entries in the HCUSoftware Microsoft Internet Account Manager Accounts
to get SMTP Server

Download Bkav2002 (Version 533) & nbsp; & nbsp; & nbsp; 305kb

& nbsp;