MiMail.R, also known as W32/Mydoom@MM (McAfee), Novarg (F-Secure), W32.Novarg.A@mm (Symantec), Win32.Mydoom.A (CA) and Win32/Shimg (CA), is a polymorphic variant that collects/spams/forges email addresses using its own SMTP engine, installs a backdoor (most likely for use by spammers) and engages in a DDoS attack against SCO.com by routinely sending 63 HTTP requests. It's send as a ZIP attachment containing an executable file with the file extension masked by numerous spaces. McAfee is calling this a High Outbreak worm, which definitely fits the bill according to the number of samples we are receiving. Is the SCO.com DDoS an attempt at distraction from the fact that this virus installs a proxy backdoor? CA used to have a removal tool at http://www3.ca.com/Files/VirusInformationAndPrevention/clnshimg.zip but it's no longer available. More information: http://us.mcafee.com/virusInfo/default.asp?id=mydoom http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIM AIL.R http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm. html http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=54593 Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net>
