Virus is 32 bit with a packed file size of 17,424 bytes, and is a minor variant of W32/Netsky.A-mm. The virus contains code to send itself by email and remove references to W32/Mydoom infections
Load At Windows Startup
If the virus is run, it will write itself to the system and modify the registry to auto run the virus at next Windows startup using the parameter "-stealth" -
"ICQ Net" = "C:\WINNT\winlogon.exe -stealth"
The virus contains code to send itself as an attachment to an email, to email addresses found on the target computer. The virus will scan the hard drive for email addresses; for each address found, the virus will attempt to use the mail exchange server related to the domain of the email address found; for instance, of the email address is "xyz" at company.com, the virus will run a DNS query for the MX record for "xyz.company.com", then try to send itself as an email attachment
When the virus is searching for email addresses, it avoids any email addresses that may contain the following strings -
The subject lines are chosen at random from a table of possible choices -
Here is the file.
Please have a look at the attached file.
Please read the attached file.
See the attached file for details.
Your document is attached.
Your file is attached.
The body text are chosen from a list of possible choices -
Re: Excel file
Re: Here is the document
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
The "From" field is forged, and the file attachment will be one of these hard-coded file names -
Mydoom Virus Removal
The virus will search for registry keys associated with the W32/Mydoom virus and delete them if found. The virus will also attempt to terminate tasks associated with the Mydoom virus.
The virus contains this string in its unpacked body -
be aware! Skynet.cz - -->AntiHacker Crew<--
- This virus can be blocked at the gateway by not
allowing .PIF extensions to be delivered. Using the
FortiGate manager, make sure .PIF extensions are blocked
using SMTP, IMAP and POP3 services
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option