Content
Exploit-Mydoom
- Type
- Malware
- SubType
- Win32
- Discovery Date
- 02/12/2004
- Length
- Various
- Minimum DAT
- 4323 (02/11/2004)
- Updated DAT
- 4956 (02/05/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 02/12/2004
- Description Modified
- 02/12/2004 2:24 AM (PT)
Tab Navigation
Characteristics
This identification detects malware intended to exploit the backdoor opened on machines infected with either W32/Mydoom.a@MM or W32/Mydoom.b@MM .
A variant of an existing proxy trojan (Proxy-MitGlieder ) that appears to propagate through the Mydoom backdoor has been received. This is detected as Exploit-Mydoom with the specified DATs on gateway products or as a variant of Proxy-MitGlieder (since the 4317 DATs).
Symptoms
Symptoms will vary according to the specific malware in question. For the malware to propagate or exploit the mydoom backdoor however, the machine must be infected with either W32/Mydoom.a@MM or W32/Mydoom.b@MM .
Method of Infection
W32/Mydoom@MM infected machines will have TCP port 3127 open. Upon receipt of a specially crafted TCP packet Mydoom saves and executes the embedded binary. For example, W32/Doomjuice.worm uses this mechanism for its propagation.
Removal
All Users
:
Use specified engine and DAT files
for detection and removal. Delete files which contain this detection.
Variants
Variants
N/A
All Information
Overview -
Characteristics
Characteristics -
This identification detects malware intended to exploit the backdoor opened on machines infected with either W32/Mydoom.a@MM or W32/Mydoom.b@MM .
A variant of an existing proxy trojan (Proxy-MitGlieder ) that appears to propagate through the Mydoom backdoor has been received. This is detected as Exploit-Mydoom with the specified DATs on gateway products or as a variant of Proxy-MitGlieder (since the 4317 DATs).
Symptoms
Symptoms -
Symptoms will vary according to the specific malware in question. For the malware to propagate or exploit the mydoom backdoor however, the machine must be infected with either W32/Mydoom.a@MM or W32/Mydoom.b@MM .
Method of Infection
Method of Infection -
W32/Mydoom@MM infected machines will have TCP port 3127 open. Upon receipt of a specially crafted TCP packet Mydoom saves and executes the embedded binary. For example, W32/Doomjuice.worm uses this mechanism for its propagation.
Removal -
Removal -
All Users
:
Use specified engine and DAT files
for detection and removal. Delete files which contain this detection.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
