new doom varient?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
no i did not open the attached file. my av missed it but so did alot
of the av's at virus total.
but i thought this method was all but over in favor of password
protected infected attachments.
"Attention: ** - 10:45:22 PM - 6/2/2007 - This is an automatically
generated message.

A virus was found in the last outgoing message you sent. Our incoming
email scanner intercepted it and stopped the entire message before it
could reach its intended recipient. The virus was reported to be: I-
Worm.Mydoom.M

Technical details: I-Worm.Mydoom.m spreads via Google and Yahoo mail
services as an attachment to infected messages.

The worm itself is a Windows PE EXE file approximately 27KB in size,
packed using UPX.
The unpacked file is approximately 89KB in size.

The worm is only activated when a user opens an archive and launches
the infected file by double-clicking on it. The worm will then install
itself to your system and begin propagating. This worm also contains a
dangerous backdoor function. When the worm opens TCP port 1034, it
allows itself to receive remote commands. These ports were found to be
open on your system during the message scan.

Please use the attached patch file to remove the virus and cleanse
your system of any remaining parts of the worm.


Aliases: I-Worm.Mydoom.m (Kaspersky Lab), W32/Mydoom.o@MM (McAfee),
W32.Mydoom.M@mm (Symantec),   Win32.HLLM.MyDoom.54464 (Doctor Web),
W32/MyDoom-O (Sophos),   Win32/Mydoom.O@mm (RAV),   WORM_MYDOOM.M
(Trend Micro),   Worm/Mydoom.M (H+BEDV),   W32/Mydoom.O@mm (FRISK),
Win32:Mydoom-M (ALWIL),   I-Worm/Mydoom.O (Grisoft),  Win32.MydooM@mm
(SOFTWIN),   Worm.Mydoom.M (ClamAV),   W32/Mydoom.N.worm (Panda),
Win32/Mydoom.R (Eset)

Description added: 6/2/2007 (new)
Self-Replicating Email Worm

Removal tool attached to ** message at: 10:45:22 PM on 6/2/2007
__________________________________________

Originating Message Headers:

Received: ** (HELO) (193.224.106.80)
  by ** with SMTP; 12 Jun 2006 14:17:46 -0500
To: thelist at lists.evolt.org
Subject: Virus Detection
Date: Mon, 12 Jun 2006 21:17:45 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0002_4F80D187.6B2DD9E9"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Apply the attached patch to cleanse your system of any files that were
dropped by the worm.

Postmaster Security Encryption Algorithm:

YBLDKHRHJLHFZBJFVSHOLVIBGKBYSTFVRFRWHE"


Re: new doom varient?

Complete scanning result of "Win32.Patch.MyDoom.zip", processed in
VirusTotal at 06/04/2007 09:47:52 (CET).

[ file data ]
* name: Win32.Patch.MyDoom.zip
* size: 3604
* md5.: b2298fde46f77322731d5b0fe0c0da5a
* sha1: 45dba3396fadc13a0eca455fc39ecb2ab8f5ae03

[ scan result ]
 AhnLab-V3    2007.5.31.2/20070604    found nothing
AntiVir    7.4.0.29/20070604    found nothing
Authentium    4.93.8/20070523    found nothing
Avast    4.7.997.0/20070604    found nothing
AVG    7.5.0.467/20070603    found nothing
BitDefender    7.2/20070604    found nothing
CAT-QuickHeal    9.00/20070602    found [(Suspicious) - DNAScan]
ClamAV    devel-20070416/20070604    found nothing
DrWeb    4.33/20070604    found nothing
eSafe    7.0.15.0/20070603    found nothing
eTrust-Vet    30.7.3688/20070603    found nothing
Ewido    4.0/20070603    found nothing
F-Prot    4.3.2.48/20070601    found nothing
F-Secure    6.70.13030.0/20070604    found [Hupigon.gen83]
FileAdvisor    1/20070604    found nothing
Fortinet    2.85.0.0/20070602    found nothing
Ikarus    T3.1.1.8/20070604    found [Trojan-Spy.Win32.Bancos.ha]
Kaspersky    4.0.2.24/20070604    found [Trojan-Downloader.Win32.Small.ery]
McAfee    5044/20070601    found [New Malware.dq]
Microsoft    1.2503/20070604    found nothing
Norman    5.80.02/20070601    found nothing
Panda    9.0.0.4/20070603    found [Suspicious file]
Prevx1    V2/20070604    found nothing
Sophos    4.18.0/20070601    found nothing
Sunbelt    2.2.907.0/20070530    found nothing
Symantec    10/20070604    found nothing
TheHacker    6.1.6.129/20070604    found nothing
VBA32    3.12.0/20070603    found [suspected of Trojan-Dropper.Delf.33
(paranoid heuristics)]
VirusBuster    4.3.23:9/20070603    found []
Webwasher-Gateway    6.0.1/20070604    found nothing

[ notes ]
packers: EXPRESSOR, FSG
packers: Expr

__________________________________________________
VirusTotal is a free service offered by Hispasec Sistemas. There are
no guarantees about the availability and continuity of this service.
Do not reply to this message. It has been generated by an automatic
address that will not handle any reply. Although the detection rate
afforded by the use of multiple antivirus engines is far superior to
that offered by just one product, these results DO NOT guarantee the
harmlessness of a file. Currently, there is not any solution that
offers a 100% effectiveness rate for detecting viruses and malware.



Re: new doom varient?

"PM..eml/Win32.Patch.MyDoom.zip/Win32.Patch.MyDoom.EXE - decompression
error!" faulty virus?
drweb online scan
File size: 8989 bytes

this is spam SPAM Yahoo PostMaster Alert - I-Worm.Mydoom.m detected at
10 45 22 PM..eml - archive MAIL
this is spam SPAM Yahoo PostMaster Alert - I-Worm.Mydoom.m detected at
10 45 22 PM..eml/[text:plain] - archive MAIL
this is spam SPAM Yahoo PostMaster Alert - I-Worm.Mydoom.m detected at
10 45 22 PM..eml/[text:plain] - OK
this is spam SPAM Yahoo PostMaster Alert - I-Worm.Mydoom.m detected at
10 45 22 PM..eml/Win32.Patch.MyDoom.zip - archive ZIP
Quoted text here. Click to load it


Re: new doom varient?

reply from drweb
Your request has been analyzed. It was corrupted file.

Thank you for the cooperation.


Site Timeline