July 27, 2004 Information Security Advisory Yesterday morning, a new variant of the W32.Mydoom.M@mm mass-mailing worm started to attack computers worldwide. The worm uses its own email engine to send itself to all the email addresses that it finds from an infected system. Symantec rated this worm as a category 4 and put out a removal tool on its website. The email has an attachment with a .bat, .cmd, .com, .exe, .pif, .scr, .zip, .doc, .txt, .htm, or .html extension The attachment name may contain a randomly selected domain, which was found on the sender's system. For example, the attachment name could contain fakedomain.com if the address x@fakedomain.com was harvested. The From field of the email is spoofed. Downloads and executes a backdoor, which is detected as Backdoor.Zincite.A, on port 1034/tcp. Is packed by UPX. Other names: W32/Mydoom.o@MM [McAfee], W32/MyDoom-O [Sophos], WORM_MYDOOM.M [Trend], Win32.Mydoom.O [Computer Associates] Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX Recommendation: make sure you have the latest antivirus signatures on your computer and run a scan at your earliest convenience. If infected, download your antivirus vendor's removal tool and follow the vendor's instructions to clean your computer. For example Symantec's tool can be downloaded from http://securityresponse.symantec.com/avcenter/FxMydoom.exe Make sure you disable "System Restore" on your Windows Me or XP computer before running the scanner (right click on the "My Computer" icon, click on "Properties" and disable System Restore). Happy safe computing! Frederic Martin www.workingarts.com PS1: If you want to be removed from this computer security advisory mailing list, please reply with "remove" in the subject of the message. To review archived security warnings, please go to http://www.workingarts.com/infosecarchives.html PS2: Feel free to forward this email to your friends and colleagues, who can register to receive these alerts at http://www.workingarts.com/specialoffer.html