W32.Dozer


Aliases: W32/Mydoom.cf, MyDoom.HN
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Moderate
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 08 Jul 2009
Damage: Low

Characteristics: W32.Dozer is considered as an email worm that is usually found on files in spam emails. It is also called a dropper which means that it infects the computer by distributing a Trojan called Dozer. This file is known as a denial service Trojan and a W32.Mydoom.A@mm, the component that sends out the emails with W32.Dozer attached. It also accepts remote commands. All platforms of Windows Operating System are said to be affected by the W32.Dozer virus.

More details about W32.Dozer

Trojan. Dozer commands infected files and/or systems to delete critical content from the hard drive.  This worm is also believed to be connected with My Doom worm. This also gives the worm mass mailing abilities. The attachment of the email contains a list of host sites, which instructs the botnet which sites to attack. The worm was first known when it infected a lot of the government, financial and media sites in the U.S. and South Korea. Researches also say that this worm monitors the system’s internal clock. When this clock reaches July 10, 2009, the code will try to find and delete all files associated with the extensions ".accdb, .alz, .asp, .aspx, .c, .cpp, .cpp, .db, .dbf, .doc, .docm, .docx .eml, .gho, .gul, .hna, .hwp, .java, .jsp, .kwp, .mdb, .pas, .pdf, .php, .ppt, .pptx, .pst, .rar, .rtf, .txt, .wpd, .wpx, .wri, .xls, .xlsx, .xml and .zip.” This files may usually be seen with typical Microsoft office, development applications and business. Once this file is successfully uploaded in the computer, the system may become inoperable. The worm contains a code that changes the Master Boot Record.

W32.Dozer, a dropper that contains all the other components within it, is sent by W32.Mytob!gen to email addresses when it gathers information from the compromised computer. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the compromised computer. W32.Mydoom.A@mm in turn drops W32.Mytob!gen and a removal tool built by other worm creator, allowing them to uninstall W32.Mytob!gen. W32.Mytob!gen on the other hand collects email addresses while consequently sending the W32.Dozer dropper to them as well. The spread of the virus was hampered due to continuous update of securities in the system. It is also a good practice to not open all emails that you see as malicious. Manually removing the file involves killing the system processes and the other is deleting registry values and or .exe files.