Skip Over Navigation Links
Center for Information TechnologyAntivirus
Antivirus Home Page
Contact Us
Questions or Comments
Disclaimers

Software
Current client downloads:
 VScan Engine/Dat (SuperDat) -5300/2777.5511
 VirusScan Enterprise 8.5i (with Patch 6) - Windows NT/2000/XP/2003
 VirusScan Enterprise 7.1 - Windows NT/2000/XP/2003
 Virex (OS X) Engine/Def - 7.2(v1.1)/081029
 Virex (OS 9.x) Engine/Def - 6.2/071001
 Linux & Solaris Engine/Dat - 5.2.00/4.0.5196
 Symantec Antivirus - 10.1.7.7000
 Symantec Antivirus - 10.2
 Clean Boot 1.0
 Stinger v3.8.0 virus removal tool (Updated 09/10/07)
Current server downloads:
 VirusScan Enterprise 8.5
 VirusScan Enterprise 7.1
 NetShield NetWare - 4.6.2
 NetShield NetWare - 4.6.3
 NetShield NetWare Engine Update - 4.4.00
 ePO agent for NetWare
 ScanMail eManager - 3.0

Information
 ePO 3.0/VirusScan 7.0 Presentation
 Virex 7.x Installation Instructions
 VirusScan FAQs
 VirusScan Instructions
 Additional Resources

Archives
 List of Viruses

Virus Alerts

W32/Mydoom.ah@MM Last Updated 11/10/04 4:30PM

CIT has been notified of a new email virus called W32/Mydoom.ah@MM. W32/Mydoom.ah@MM attempts to exploit a new buffer overflow vulnerability in the way Microsoft's Internet Explorer handles IFRAME. The virus spreads by email sending out messages with a link back to the infected machine. Using the IFRAME exploit, anyone who opens the link with Internet Explorer will automatically download and run the virus from the machine that sent the email.

Note: This exploit does not affect Internet Explorer 6 with Windows XP SP2

The message will appear as:

From: Spoofed email address (example: exchange-r0bot@paypal.com)

Subject: varies and may be similar to those below:

  • hi!
  • hey!
  • Confirmation
  • blank with no subject line

Body: varies and may be similar to one of the following:

  • Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

    To see details please click this link .

    DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.

    Thank you for using PayPal.

  • Hi! I am looking for new friends. My name is Jane, I am from Miami, FL. See my homepage with my weblog and last webcam photos!

Also included is a link that resolves to the infected system that sent the email message. By clicking on the link, the user is directed back to a web server running on the compromised system. This will automatically execute the malicious code, utilizing the IFRAME exploit, on the computer from which the link was opened.

Attachment: none

When the virus infects the system it performs the following actions:

  • install a web server listening on TCP Port 1639.
  • modify the registry to run at startup as an executeable name *32.exe where * is a random set of letters. (Example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "Reactor3" = C:\WINDOWS\System32\heztiv32.exe)
  • attempt to connect to a list of IRC servers on port 6667.
  • collect email addresses located on the system and send out email, similar the ones described above, to the addresses found on the sytem using a spoofed address. This virus uses its own smtp engine to send email.

McAfee (formerly NAI) has released SuperDat 4405 and later to detect and remove W32/Mydoom.ah@mm.

Symantec has released definitions dated 11/09/04 and later to detect and remove Mydoom.ah@MM. Definitions are available thorugh the LiveUpdate feature of Symantec Antivirus.

For more Information:

http://vil.nai.com/vil/content/v_129631.htm from McAfee.

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ah@mm.html from Symantec.

http://www.kb.cert.org/vuls/id/842160 from US CERT regarding the IFRAME vulnerability

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.

Contact NIH Help Desk for assistance:
866-319-4357 (toll free), 301-496-4357 (6-HELP) (local), 301-496-8294 (TDD)
http://ithelpdesk.nih.gov/support
Register for iForgotMyPassWord

National Institutes of HealthCenter for Information Technology
National Institutes of Health
Bethesda, Maryland 20892

Questions or Comments | Disclaimers | Privacy Policy

Department of Health and Human ServicesHealth and Human Services
Washington, D.C. 20201
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -