A new member of the Mydoom family is spreading through an e-mail claiming to contain funny photos, opening backdoors attackers could use to gain remote control of infected machines. Several antivirus firms started to see W32.Mydoom-S in the wild early Monday morning.
In its advisory, Santa Clara, Calif.-based McAfee Inc. rated the worm as a medium risk. For the worm to strike, McAfee said victims must manually open the infected e-mail attachment. Once running, it harvests addresses from files with the following extensions: .adb, .asp; .dbx; .htm; .php; .pl; .sht; .tbb; .txt; and .wab. The worm then sends itself to those addresses and attempts to install a backdoor.
"Companies should educate their users to practice safe computing. That includes never opening unsolicited e-mail attachments and discouraging the sending and receiving of joke files and funny photographs and screensavers," Graham Cluley, senior technology consultant for Lynnfield, Mass.-based Sophos, said in a statement. "This worm feeds on people's habit to willingly accept humorous content on their desktop computer, but they could be putting their entire company's data at risk."
Mydoom-S arrives in an e-mail with the following characteristics:
- Subject line: photos
- Message text: LOL!;))))
- Attached file: photos_arc.exe
Helsinki, Finland-based F-Secure Corp. said the worm will attempt to download an executable from four different URLs stored within its body and that such URLs point to two different sites: www.richcolour.com and zenandjuice.com. It then copies itself as a "winpsd.exe" file to the Windows system directory and creates a startup key for the copied file in Windows registry.
"All companies should consider blocking executable content from the outside world at the e-mail gateway," Cluley said.