W32.Mydoom!gen


Aliases: W32/MyDoom-Gen, W32/Mydoom.gen@MM, Win32/Mydoom.gen, Win32.Mydoom.gen
Variants: Email-Worm.Win32.Mydoom.ay, Win32.HLLM.MyDoom.78, Worm/Mydoom.BZ, Win32.Mytob.FJ@mm

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 03 Jun 2005
Damage: Low

Characteristics: This backdoor worm is a variant of the Mydoom worm family. This worm is controlled by its remote author via IRC or Internet Relay Chat. It can place a backdoor on the compromised computer system that will be used to communicate with its remote master among other things. The opened backdoor can also be used to collect critical information about the user and the computer, execute and download files, send infected email messages and to propagate the worm’s code.

More details about W32.Mydoom!gen

The installation of the W32.Mydoom!gen worm to a target machine can be performed remotely. This worm will alter the system’s registry settings by adding its own startup value so that it can execute with Windows upon startup. It will likewise attempt to terminate all security related processes it locates. This security risk can also prevent the victim machine from establishing a connection to antivirus or security program related websites. The W32.Mydoom!gen may also be instructed to propagate its malicious code via SMTP (simple mail transfer protocol) email using addresses that the worm has collected from the address book of Windows. The email message will have a catchy subject line and an attachment that contains the worm’s code. In the event that a recipient downloads and runs the attachment, the worm will also be executed.

This malware also has the ability to propagate via networks and IP addresses that are randomly selected. It likewise tries to take advantage of the Remote Call Procedure (RPC) buffer overflow vulnerability. When the vulnerability is effectively exploited by the W32.Mydoom!gen worm, it will be enabled to run random codes or even cause a denial of service. The W32.Mydoom!gen application may consume large amount of system resources and cause slow performance of the system. This is because of the numerous copies of the computer worm that use system resources. The W32.Mydoom!gen program may change the system settings. The application will install copies of itself in the Windows directory of the computer. This ensures that the computer worm executes at every system boot.