Mydoom.F Worm deletes e-mails & documents on infected systems! (2/24/04)

Question

Mydoom.F Worm deletes e-mails and documents on infected systems! (updated 2/24/04)

Answer

This question was answered on February 25, 2004. Much of the information contained herein may have changed since posting.

The W32.Mydoom.F is a mass-mailing worm that arrives as an e-mail attachment with the file extensions of .bat, .com, .cmd, .exe, .pif, .scr, or .zip.

This is the 3rd variation of the MyDoom worm that was discovered in late January of this year and has become the fastest spreading computer infection of all time.

UNLIKE PREVIOUS VERSIONS OF MYDOOM, THIS ONE IS DESTRUCTIVE TO DATA THAT RESIDES ON THE INFECTED SYSTEMS HARD DRIVE(S).

It targets files from popular applications such as Microsoft Word, Excel and Outlook Express and attempts to delete them. The known file types that it targets currently include files with the extensions of .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp and any filename that contains the word "Inbox" on drives C thru Z, which means it can target files on network servers as well as local hard drives. When it finds these files, it randomly deletes them.

<a href="http://datadoctors.com/contact"><font size="3" color="#0000FF"> If you are attacked by this worm and need to have your deleted files recovered, contact the nearest Data Doctors location by clicking here. </a></font>

As with previous worms, it can 'spoof' the 'From' address, so don't assume that the sender's address is accurate.

The typical Subject lines include:

<blank>

Announcement

Re: Thank you

Thank you

Re: Details

Details

Re: Approved

Approved

hi, it's me

Thank You very very much

You use illegal File Sharing...

Your IP was logged

Your account is about to be expired

Love is

Love is...

Undeliverable message

Re: <censored>

Your order was registered

Your request was registered

Your order is being processed

Your request is being processed

Current Status

read now!

forget

bug

unknown

fake

Wanted

recent news

news

stolen

Attention

Accident

Schedule

Your credit card

Read it immediately!

Read this

Read it immediately

Something for you

For you

For your information

Information

Warning

You have 1 day left

automatic notification

automatic responder

Notification

Expired account

Your account has expired

Important

Readme

Read this message

please read

please reply

Registration confirmation

Confirmation

Confirmation Required

Returned Mail

hello

hi

===========================================================

And the Message body is usually one of the following:

You are bad

Take it

Reply

Please, reply

Information about you

Greetings

See you

Here it is

We have received this document from your e-mail.

Kill the writer of this document!

Something about you

I have your password :)

You are a bad writer

Is that yours?

Is that from you?

I wait for your reply.

Here is the document.

Read the details.

I'm waiting

Okay

OK

Everything ok?

Check the attached document.

The document was sent in compressed format.

Please see the attached file for details

See the attached file for details

Details are in the attached document. You need Microsoft Office to open it.

===========================================================

The attachments can be one of the following:

photo

resume

image

your_document

approved

paypal

disc

misc

part3

part2

part4

part1

mail2

object

website

friend

jokes

joke

list

mail

story

about

money

check

product

notes

note

information

textfile

posting

post

stuff

attachment

creditcard

details

body

message

test

data

file

text

readme

document

doc

msg

<random letters>

with one of the following extensions:

.exe

.scr

.com

.pif

.bat

.cmd

===========================================================

DO NOT OPEN ANY ATTACHMENTS, EVEN IF YOU TRUST THE SENDER!

<a href="http://datadoctors.com/contact"><font size="3" color="#0000FF"> If you are attacked by this worm and need to have your deleted files recovered, contact the nearest Data Doctors location by clicking here. </a></font>

Get complete instructions on protection and removal from Symantec at:

<a href= "http://www.sarc.com/avcenter/venc/data/w32.mydoom.f@mm.html"> http://www.sarc.com/avcenter/venc/data/w32.mydoom.f@mm.html</a>

Author

Posted by Ken of Data Doctors on February 25, 2004