Content

W32/Mydoom.s@MM

Type
Virus
SubType
Internet Worm
Discovery Date
08/15/2004
Length
27,136 bytes
Minimum DAT
4386 (08/15/2004)
Updated DAT
4923 (12/20/2006)
Minimum Engine
5.1.00
Description Added
08/15/2004
Description Modified
08/16/2004 2:11 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update November 11, 2004 --
 The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update August 15, 2004 --
 The risk assessment of this threat was deemed Medium due to prevalence.

If you think that you may be infected with W32/Mydoom.s@MM, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This virus is received in an email message as follows:

Subject : photos
Body : LOL!;))))
Attachment : photos_arc.exe

When the attachment is run, the virus copies itself to the WINDOWS (%WinDir%) directory as rasor38a.dll , and to the SYSTEM (%SysDir%) directory as winpsd.exe .

The virus creates the following registry key values:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\ComDlg32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\ComDlg32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "winpsd" = C:\WINDOWS\System32\winpsd.exe

The virus downloads a backdoor component from 2 different websites:

  • www.richcolour.com
  • zenandjuice.com

The backdoor component is detected as BackDoor-CHR with the specified DAT files.

Symptoms

Presence of the file rasor38a.dll and winpsd.exe.

Method of Infection

This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files containing the following extensions:

  • adb
  • asp
  • dbx
  • htm
  • php
  • pl
  • sht
  • tbb
  • txt
  • wab

Addresses obtained are sent the virus.

Removal

All Users :
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
Stinger  has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the following file from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)

    winpsd.exe
  3. Edit the registry
    • Delete the "winpsd" value from
      • HKEY_LOCAL_MACHINE\Software\Microsoft\
        Windows\CurrentVersion\Run
    • Delete the keys:
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
        Explorer\ComDlg32
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
        Explorer\ComDlg32
  4. Reboot the system into Default Mode

See the BackDoor-CHR description for additional information.

McAfee System Compliance Profiler
Create a rule that matches a file
- Choose WINDOWS_DIR from the drop-down
- Type in rasor38a.dll for the file name
- Choose "File does not exist" in the next drop-down

Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in winpsd.exe for the file name
- Choose "File does not exist" in the next drop-down

McAfee Threatscan
ThreatScan signatures that can detect the W32/Mydoom.s virus are available from:

ThreatScan Signature version: 2004-08-16

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
     -or-
  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

  • Run the "ThreatScan Template Report"
  • Look for module number #4083

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • WORM_RATOS.A (Trend)

Characteristics

Characteristics -

-- Update November 11, 2004 --
 The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update August 15, 2004 --
 The risk assessment of this threat was deemed Medium due to prevalence.

If you think that you may be infected with W32/Mydoom.s@MM, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This virus is received in an email message as follows:

Subject : photos
Body : LOL!;))))
Attachment : photos_arc.exe

When the attachment is run, the virus copies itself to the WINDOWS (%WinDir%) directory as rasor38a.dll , and to the SYSTEM (%SysDir%) directory as winpsd.exe .

The virus creates the following registry key values:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\ComDlg32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\ComDlg32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "winpsd" = C:\WINDOWS\System32\winpsd.exe

The virus downloads a backdoor component from 2 different websites:

  • www.richcolour.com
  • zenandjuice.com

The backdoor component is detected as BackDoor-CHR with the specified DAT files.

Symptoms

Symptoms -

Presence of the file rasor38a.dll and winpsd.exe.

Method of Infection

Method of Infection -

This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files containing the following extensions:

  • adb
  • asp
  • dbx
  • htm
  • php
  • pl
  • sht
  • tbb
  • txt
  • wab

Addresses obtained are sent the virus.

Removal -

Removal -

All Users :
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
Stinger  has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the following file from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)

    winpsd.exe
  3. Edit the registry
    • Delete the "winpsd" value from
      • HKEY_LOCAL_MACHINE\Software\Microsoft\
        Windows\CurrentVersion\Run
    • Delete the keys:
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
        Explorer\ComDlg32
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
        Explorer\ComDlg32
  4. Reboot the system into Default Mode

See the BackDoor-CHR description for additional information.

McAfee System Compliance Profiler
Create a rule that matches a file
- Choose WINDOWS_DIR from the drop-down
- Type in rasor38a.dll for the file name
- Choose "File does not exist" in the next drop-down

Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in winpsd.exe for the file name
- Choose "File does not exist" in the next drop-down

McAfee Threatscan
ThreatScan signatures that can detect the W32/Mydoom.s virus are available from:

ThreatScan Signature version: 2004-08-16

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
     -or-
  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

  • Run the "ThreatScan Template Report"
  • Look for module number #4083

Variants

Variants -

    N/A