The W32.Mydoom.M@mm mass-mailing
worm:
- Uses its own SMTP engine to send
itself to all the email addresses that
it finds from an infected system.
- The email has an attachment with a
.bat, .cmd, .com, .exe, .pif, .scr, or
.zip extension.
- The attachment name may contain a
randomly selected domain, which was
found on the sender's system.
For example, the attachment name
could contain fakedomain.com if the
address x@fakedomain.com was harvested.
- The From field of the email is
spoofed.
- Downloads and executes a backdoor,
which is detected as Backdoor.Zincite.A,
on port 1034/tcp.
- Is packed by UPX.
For more technical details on
W32.MyDoom.M@mm, please see the Symantec
Security Response write-up.
|