Like MyDoom.m, this virus uses popular search engines to find its victims. Here are details on how to spot MyDoom.bb and how address the problem.
By Robert Vamosi
Yet another virus is using Google and other popular search engines to spread. MyDoom.bb (w32.mydoom.bb@mm) is a direct variant of MyDoom.m, which also pummeled search engines last summer in an attempt to harvest e-mail addresses. In addition, MyDoom.bb attempts to shut down active instances of Outlook and Internet Explorer. The virus affects only Windows computers; users of Mac OS, Linux, and Unix machines are not affected. Because MyDoom.bb spreads via e-mail and may allow remote access to your computer, this worm rates a 6 on the CNET/ZDNet Virus Meter.
How it works
MyDoom.bb arrives by e-mail, using a spoofed sender, and it appears to be a warning from your company or Internet service provider (ISP) regarding recent unsent mail; it includes a "helpful" attachment, which is actually the virus component. One version of the body text reads as follows:
According to F-Secure, another version of the body text reads as follows:
Do not open the attached file!
Should you open the attached file, MyDoom.bb will attempt to download a backdoor Trojan horse known as Surila.o. MyDoom.bb opens a listener on port 1034 and sends out messages using even higher TCP ports looking for other infected machines listening on port 1034. MyDoom.bb also attempts to kill Outlook and Internet Explorer if these apps are running.
MyDoom.bb installs itself as java.exe and adds another file called services.exe to the Windows directory.
The virus changes the following Registry keys:
\Run "JavaVM" = %WinDir%\JAVA.EXE
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE
If you receive MyDoom.bb, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC.
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates (as MyDoom.au), F-Secure, McAfee, Norman (as MyDoom.aq), Panda (as MyDoom.ao), Sophos (as MyDoom.o), Symantec (as MyDoom.ax), and Trend Micro.