From: "Thom R. Lacosta" 
Subject: [drakelist] Virus Alert: MyDoom Worm

                  -  [any random collection of characters]

File Attachment:  The name of the infected file attachment is chosen
                  at random from the following list:
                  -  body
                  -  data
                  -  doc
                  -  document
                  -  file
                  -  message
                  -  readme
                  -  test
                  -  text
                  -  [any random collection of characters]

                  The file name extension may be BAT, CMD, EXE, PIF,
                  SCR, or ZIP. Sometimes dual extensions are used, in
                  which case the first extension is HTM, TXT or DOC.

If you receive e-mail matching the above description, delete it.
DO NOT open the file attachment!

The MyDoom Worm infection is not carried by e-mail intentionally sent
by the owner of the infected PC.  MyDoom sends out its infected e-mail
without the knowledge of the PC's owner, using mailer routines built into
the worm.

Via KaZaA:
---------
When a PC is infected, MyDoom searches the Windows Registry for a value
containing the location of a KaZaA shared folder.  If found, the worm
copies itself to that folder with the following file names:

- winamp5
- icq2004-final
- activation_crack
- strip-girl-2.Obdcom_patches
- rootkitXP
- office_crack
- nuke2004

The file name extensions may be BAT, EXE, SCR or PIF.

Once installed in the KaZaA shared folder, the MyDoom-infected files are
distributed via the KaZaA peer to peer file sharing network.


What MyDoom Does To The Infected PC
-----------------------------------
In addition to turning the infected PC into an unwitting redistributor of
the the MyDoom Worm, the worm sets up a backdoor on the infected PC that
allows an attacker to connect to the computer and use it as a proxy for
malicious activities. For example, an attacker can install software that
allows him to use the infected computer as a spam relay.

The MyDoom Worm also uses the infected computer to participate in a denial
of service (DoS) attack against www.sco.com.  On February 1st all
computers infected by MyDoom will begin requesting the main page of that
Web site once every second, the aim being to overload SCO's web server.


How To Protect Your PC From MyDoom Worm Infection
-------------------------------------------------
o If you have anti-virus software on your PC, *and* if it is configured
  to scan incoming e-mail for viruses, *and* if its virus description
  database is up-to-date enough to know about MyDoom, then it will stop
  MyDoom before it can infect your PC.  However the virus description
  database must be *very* new.  The MyDoom Worm was discovered and
  described by the major anti-virus software vendors on January 26, 2004,
  so a virus description database older than that will not enable your
  anti-virus software to detect and stop MyDoom. We recommend that you
  update your virus description database at least once a week, although
  given the rate at which new PC viruses appear once a day would be even
  better.  If you do not keep your virus description database up to date,
  then your anti-virus software is virtually useless.

o If you receive a message containing a file attachment DO NOT open the
  attachment unless ALL of the following are true:

  - The sender is known to you.
  - You are expecting a file attachment from that person.
  - The sender clearly identifies the nature of the file attachment
    in the text of the message.

  If any one of those three statements is not true, delete the message.
  DO NOT open the file attachment.  When in doubt, get in touch with the
  apparent sender to confirm that he/she actually sent the attachment.

o If you use KaZaA or any of the other peer-to-peer file sharing networks,
  be VERY careful what you download.  It is estimated that at least 50% of
  the files made available via peer-to-peer file sharing are "malware",

---