Virus Information

This is an internet worm that spreads trough e-mail. When it is run it adds the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM with the following value: %WINDIR%\java.exe It copies itself to %WINDIR%\java.exe where %WINDIR% is a variable representing the Windows directory. It drops the following file: %WINDIR%\services.exe, that is detected as Backdoor.Mydoom.M It tries to terminate some programs that have windows with the following names: rctrl_renwnd32 ATH_Note IEFrame It searches for mail addresses in the default Windows Address Book, then looks into the Temporary Internet Files and then scans all the disks on the machine, looking for files that have the extension starting with pl, ph, tx, asp, dbx, wab etc. It sends mail with the sender one of "Postmaster", "Mail Administrator", "Automatic Email Delivery Software", "Post Office", "The Post Office", "Bounced mail", "Returned mail", "MAILER-DAEMON", "Mail Delivery Subsystem". The mail has the subject one of: "hello", "hi", "error", "status", "test", "report", "delivery failed", "Message could not be delivered", "Mail System Error - Returned Mail", "Delivery reports about your e-mail", "Returned mail: see transcript for details", "Returned mail: Data format error" etc. The attachments name is one of "readme", "instruction", "transcript", "mail", "letter", "text", "file", "attachment", "document", "message" with the extension in "cmd", "bat", "com" , "exe", "pif", "scr". It sometimes has ".zip" after the normal extension. The mail is constructed based on a template. The worm parses the template and generates a very large number of possible bodies. The rule is very simple, it just picks one of the options separated by |. For instance, for the string "{We have {detected|found|received reports} " it can generate "We have detected" or "We have found" or "We have received reports" . Also , there are some variables that have $ in front of them, and they are filled with data at runtime . For instance, $t is the name of the domain. The template is this: Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||} {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week. {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server. {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe. {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day}, {$T {user |technical |}support team.|The $T {support |}team.} Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message {was not|could not be} delivered within $D days: {{{Mail s|S}erver}|Host} $i is not responding.

For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.

You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.

Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.