MessageLabs, the leading provider of managed email security services to businesses worldwide, has intercepted a high number of copies of a new worm known as W32/Mydoom.A-mm.
Number of copies intercepted so far: 165,598
Time & Date first captured: 13.03pm GMT, 26th Jan 04
Origin of first intercepted copy: Russia
W32/Mydoom.A-mm is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa.
The worm harvests addresses from infected machines and targets files with the following extensions:
.wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt.
W32/Mydoom.A-mm also tries to randomly generate or guess likely email addresses to send itself to.
In addition, initial analysis suggests that Mydoom opens a connection on TCP port 3127, an indication of a remote access component.
From: Random, spoofed email address
Text: Various, including:
· The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
· The message contains Unicode characters and has been sent as a binary attachment.
· Mail transaction failed. Partial message is available.
Attached file: Various,extensions including .exe, .pif, .cmd, .scr. The attachment often arrives in a zip archive, and is also represented by what appears to be a text file icon, but is in fact an executable.