As of February 16, 2005, 05:31 PM (GMT - 08:00, Pacific Standard Time) TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_MYDOOM.BB. Trendlabs received numerous infection reports indicating that this malware is spreading in Singapore and U.S. This worm was previously detected as WORM_MYDOOM.M.
It has very similar characteristics as with WORM_MYDOOM.M. However, this new MYDOOM worm comes compressed with MEW compression tool, whereas WORM_MYDOOM.M is compressed using UPX.
Like earlier MYDOOM variants, this worm spreads via email through SMTP (Simple Mail Transfer Protocol), gathering target recipients from the Windows Address Book, the Temporary Internet Files folder, and certain fixed drives. It uses social engineering techniques by sending out email messages with a spoofed sender's name and poses as a failure delivery notification. The email message it sends has varying subjects, message bodies, and attachment file names.
Apart from simply spreading via email, this worm also carries backdoor functionalities that leaves the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens TCP port 1034 and waits for outside connections. This routine virtually hands over control of the affected machine to a remote attacker.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 149
Official Pattern Release 2.416.00
Damage Cleanup Template 520
For more information on WORM_MYDOOM.BB, you can visit our Web site at:
http://www.trendmicro.com....asp?VName=WORM_MYDOOM.BB
You can modify subscription settings for Trend Micro newsletters at:
http://www.trendmicro.com/subscriptions/default.asp/u/64936/crop560fa53296a1c.png?f=community)
