The Web    Google
8/2: MyDoom-P Sends Spoofed Emails

8/2: MyDoom-P Sends Spoofed Emails
August 2, 2004

W32/Mydoom.p@MM is a new variant of W32/Mydoom that is packed with ASPack. The dropped SERVICES.EXE is the same binary W32/Mydoom.o@MM uses. The behavior is similar to W32/Mydoom.o@MM and bears the following characteristics:

  • mass-mailing worm constructing messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address
  • contains a peer to peer propagation routine

    From: (spoofed From: header)
    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:,p>

  • mailer-daemon@(target_domain)
  • noreply@(target_domain)

    More information is at McAfee page.

  • 6/4: Korgo-D Attacks Buffer Overrun
  • Simplifying SCM with Appliances
  • 12/30: Troj/Agent-FO Downloads Files
  • MARID Floats Sender ID Compromise
  • 2/23: Anicmoo-B a Downloader Trojan
  • 2/14: Dopbot-A Worm A Acts as IRC Bot
  • 2/18: Bropia-R Worm Displays Pornography
  • Sophos Small-Business Suite Fights Viruses, Spam
  • 3/11: Rbot-XM Worm Hits Remote Shares
  • New nCipher Product Targets Online Payment Card Fraud
  • CERT Issues Warning for OpenSSH Flaw
  • Security Camera Product