W32.Moody.Worm


Aliases: Worm.Win32.Doomer.a, Win32/HLLW.Doomer.A, WORM_DOOMER.A, Worm/Doomer.A Worm, Win32/Doomer.A 
Variants: W32/Doomer.worm.gen, Win32.HLLW.Doomer.1 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: North America, South America, Asia, Europe, Australia, Africa
Removal: Hard
Platform: W32
Discovered: 19 Feb 2004
Damage: Medium

Characteristics: The W32.Moody.Worm spreads its malicious code to systems that are infected with the malware W32.Mydoom.A@mm worm. The Mydoom worm and its variants is one of the most dangerous and widespread worms. This malware uses a wide array of methods to penetrate target systems and subsequently execute its code. It may use social engineering techniques which include infected emails with attachments and infected links. It may likewise rely on locating weakly configured networks that leave the host machine susceptible to remote attacks.

More details about W32.Moody.Worm

This worm allegedly has backdoor capabilities. It can hinder the Windows Firewall from preventing port activity. This action is performed by running a shell command and adding a registry entry. In the event that a port is opened, the worm will connect to a host of URLs which are already predefined in its code and then notify its remote author of the compromised system’s status. It will then wait for the remote author to establish a connection to the affected machine and once a connection is successfully established, the remote author will execute a series of commands. These commands are all launched locally, thereby compromising the machine.

The W32.Moody.Worm will copy itself as an EXE file in the computer system and will add a value to a specific registry key so that it will be run when Windows starts. It will then generate IP addresses and try to connect the randomly generated addresses on the 3127 TCP port which is the same port that the W32.Mydoom.A@mm worm’s backdoor component uses. Once a connection has been successfully established, the malware will send 5 bytes to the remote system and then send a duplicate of its code to the remote system as well. The W32.Mydoom.A@mm worm’s backdoor component will then accept the worm’s copy and the launch it. This worm’s infection will be best removed with the use of a competent antivirus program. After downloading the antivirus program, open it and then follow the steps for malware removal. Go to the registry editor and then remove all the modifications added by the worm.