7/27: MyDoom.N Raised to 'Amber Alert'

Panda Softawre has increased the threat of MyDoom.N to AMBER ALERT. MyDoom.N is a new variant of the well-known MyDoom worm.

MyDoom.N spreads via e-mail using its own SMTP engine. This worm installs an EXE file that opens a port and listens to it, thus behaving as a backdoor. By doing so, it allow hackers to remotely access the affected computer in order to carry out actions that would compromise users confidentiality or impede normal work.

MyDoom.N creates the following entries in the Windows Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run JavaVM = "%WinDir %\java.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services = "%WinDir %\Services.exe"

In addition, it creates the following files in the Windows Directory: %WinDir%\java.exe copy of this worm and %Windir%\Services.exe.

MyDoom.N spoofs the e-mail address from which it is sent. This may cause confusion. It can also add any of the following texts to the spoofed address:

"Automatic Email Delivery Software"
"Bounced mail"
"Mail Administrator"
"Mail Delivery Subsystem"
"MAILER-DAEMON"
"Post Office"
"Postmaster"
"Returned mail"
"The Post Office"

Message: it can be blank, an illegible set of characters or any of the following:

"Your message was undeliverable due to the following reason(s):

Your message could not be delivered because the destination computer was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.

Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

Your message was not delivered within 5 days:
Host is not responding.

The following recipients did not receive this message:

Please reply to (e-mail addressl)
if you feel this message to be in error.

"Message could not be delivered"
"Dear user of %recipient's email address%

Your email account was used to send a large amount of span during the last week. Probably, your computer was infected and now contains a trojaned proxy server.

We recommend that you follow the instructions in order to keep your compute safe.

Virtually yours,
%recipient's email address% user support team.

Attachments: the file name is variable, and has a random extension.
Possible file names: it can be a random file name, or one of the following: "readme" instruction", "attachment", "transcript", "mail", "setter". "file", "text" y "document."

More details of the messages that Mydoom.N uses are available from Panda Software's virus Encyclopedia at this Panda Software page.