W32/MyDoom!worm

description-logoAnalysis

This threat contains instructions to harvest email addresses and uploads the data to an FTP server. The threat does not contain any replication code and does not spread to other systems by email.

Email Address Gathering
The threat scans files with certain extensions for email addresses and saves them as "emails.txt". The contents of "emails.txt" is uploaded to a hard-coded ftp server. This is accomplished by the threat using imports from WININET.dll -

FtpPutFileA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA

The threat uses a hidden Internet Explorer process to connect to the FTP server in an effort to avoid detection by firewall programs.

Miscellaneous
The email gathering routine resembles that of MyDoom virus variants.

recommended-action-logoRecommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

  • FortiClient systems:

  • Quarantine/Delete infected files detected

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-11-15 91.08826
2023-10-04 91.07566
2023-02-22 91.00810
2023-02-16 91.00640
2023-02-14 91.00583
2023-01-17 90.09734
2023-01-10 90.09530
2022-12-14 90.08737
2022-12-12 90.08654
2022-12-10 90.08616