As with previous MyDoom variants, MyDoom.O is a mass-mailing email worm that tries to dupe users into opening its infected attachment by masquerading as an email from their system administrators. The email may warn the user that their account has been detected sending spam and that they may have been compromised by a virus, or the email may claim to be a bounced message notification. Due to multiple strings and word combinations in the code, the exact message may vary. Following is one possible variations:
- ------------------------------
Dear user of {ISP/domain}
We have received reports that your e-mail}account has been used to send a large amount of unsolicited commercial e-mail during the last week. We suspect that your computer was compromised by a recent virus and now contains a hidden proxy server. We recommend you follow the instructions in the attachment in order to keep your computer safe.
Sincerely yours
{ISP/domain} support team
------------------------------
- ------------------------------
Your message could not be delivered because the destination server was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now
------------------------------
The From address is spoofed using an email address found on the infected system or as one of the following:
- Postmaster
Mail Administrator
Automatic Email Delivery Software
Post Office
The Post Office
Bounced mail
Returned mail
MAILER-DAEMON
Mail Delivery Subsystem
The subject may be any one of the following:
- hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The attachment extension will be either a cmd, bat, com, exe, pif, scr or zip and the filename one of the following:
- readme
instruction transcript
letter
file
text
attachment
document
message
For example, the attachment may be named letter.cmd. However, in some instances the file extension may not be displayed. By default, Windows suppresses executable file extension viewing. The File Extension Center provides tips for enabling file extension viewing.
If sent as a zip attachment, the filename may be named after the recipient. For example, user.name@companydomain.com. The file contained within the zip may have employ a double or triple extension ruse. In the case of the triple extension ruse, multiple spaces have been inserted to push the actual extension out of the normal viewing window, making it appear that the extension is something other than an executable.
Next page: Action on infection
