ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-07-20 15:14	Description was changed. New: "It installs a dynamic link library that opens TCP port 1042 and acts as a backdoor. It ends processes belonging to antivirus programs and system monitoring tools." Old: "N/A"

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-07-27 06:38	Description was changed. New: "This member of the MYDOOM family of mailing worm programs is currently spreading in the wild, with several infection reports received from Singapore, Germany, and the United States. As of 8:31 AM, July 26, 2004 (GMT -7:00), TrendLabs has raised a Medium Risk alert to contain its propagation." Old: "This member of the MYDOOM family of mailing worm programs is currently spreading in the wild, with several infection reports received from Singapore, Germany, and the United States. As of 8:31 AM, July 26, 2004 (GMT -7:00), TrendLabs has raised a Yellow alert to contain its propagation."
2004-07-27 01:08	Description was changed. New: "This member of the MYDOOM family of mailing worm programs is currently spreading in the wild, with several infection reports received from Singapore, Germany, and the United States. As of 8:31 AM, July 26, 2004 (GMT -7:00), TrendLabs has raised a Yellow alert to contain its propagation." Old: "This member of the MYDOOM family of mailing worm programs is currently spreading in the wild, with several infection reports gathered from Singapore, Germany and the United States. As of 8:31 AM, July 26, 2004 (GMT -7:00), TrendLabs has raised a Yellow alert to contain its propagation."
2004-07-26 20:28	Description was changed. New: "This member of the MYDOOM family of mailing worm programs is currently spreading in the wild, with several infection reports gathered from Singapore, Germany and the United States. As of 8:31 AM, July 26, 2004 (GMT -7:00), TrendLabs has raised a Yellow alert to contain its propagation." Old: "As of 8:31 AM, July 26, 2004 (GMT -7:00), TrendLabs has raised a Yellow alert to control the spread of this mailing worm. Several infection reports have been received from Singapore, Germany and the United States."
2004-07-26 19:48	Description was changed. New: "As of 8:31 AM, July 26, 2004 (GMT -7:00), TrendLabs has raised a Yellow alert to control the spread of this mailing worm. Several infection reports have been received from Singapore, Germany and the United States." Old: "As of 8:31 AM, July 26, 2004(GMT -7:00), TrendLabs has raised a Yellow alert to control the spread of this mailing worm. Several infection reports have been received from Singapore, Germany and the United States."
2004-07-26 18:52	Description was changed. New: "As of 8:31 AM, July 26, 2004(GMT -7:00), TrendLabs has raised a Yellow alert to control the spread of this mailing worm. Several infection reports have been received from Singapore, Germany and the United States." Old: "As of 8:29 AM, July 26, 2004(GMT -7:00), TrendLabs has raised a Yellow alert to control the spread of this mailing worm. Several infection reports have been received from Singapore, Germany and the United States."
2004-07-26 17:32	Severity was raised from 1/3 to 2/3.
2004-07-26 17:32	Description was changed. New: "As of 8:29 AM, July 26, 2004(GMT -7:00), TrendLabs has raised a Yellow alert to control the spread of this mailing worm. Several infection reports have been received from Singapore, Germany and the United States." Old: "N/A"
2004-07-26 16:48	Description was changed. New: "N/A" Old: "TrendLabs is currently analyzing samples of this new worm, which spreads via email. Detailed information will be posted shortly."
2004-07-26 16:32	Description was changed. New: "TrendLabs is currently analyzing samples of this new worm, which spreads via email. Detailed information will be posted shortly." Old: "As of _____ (GMT -7:00), TrendLabs has declared a Yellow alert to control the spread of this worm. Several infection reports have been received from ________."

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-07-30 23:48	Severity was decreased from 5/7 to 4/7.
2004-07-30 23:48	Description was changed. New: "The risk assessment of this threat has been lowered to Medium due to decreased prevalence. --" Old: "This variant of Mydoom is known to send non-viral attachments, typically .bat, .cmd, .com, .exe, .pif or .scr files within a zip archive, within another zip archive. These files are approximately 1-2kb in size and are not infectious. They are encrypt..."
2004-07-28 17:48	Description was changed. New: "This variant of Mydoom is known to send non-viral attachments, typically .bat, .cmd, .com, .exe, .pif or .scr files within a zip archive, within another zip archive. These files are approximately 1-2kb in size and are not infectious. They are encrypt..." Old: "This variant of Mydoom is known to send non-viral attachments, typically .bat, .com, .exe, .pif or .scr files within a zip archive, within another zip archive. These files are approximately 1-2kb in size and are not infectious. --"
2004-07-27 00:38	Description was changed. New: "This variant of Mydoom is known to send non-viral attachments, typically .bat, .com, .exe, .pif or .scr files within a zip archive, within another zip archive. These files are approximately 1-2kb in size and are not infectious. --" Old: "The risk assessment of this threat has been raised to Medium on Watch due to increased prevalence. --"
2004-07-26 18:38	Updated information about removal tool/instructions.
2004-07-26 17:23	Severity was raised from 2/7 to 5/7.
2004-07-26 17:23	Description was changed. New: "The risk assessment of this threat has been raised to Medium on Watch due to increased prevalence. --" Old: "This new variant of W32/Mydoom is packed with UPX. Similarly to previous variants, it bears the following characteristics:"
2004-07-26 17:23	File size was changed. New: "approx 28kB (EXE, ZIP) 8,192 bytes (dropped EXE)" Old: "N/A"
2004-07-26 17:08	Description was changed. New: "This new variant of W32/Mydoom is packed with UPX. Similarly to previous variants, it bears the following characteristics:" Old: "AVERT has received a sample of a new variant of W32/Mydoom. It is currently under analysis, description will be updated once complete. Top of Page"

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-07-27 12:57	Description was changed. New: "Mydoom.M is a mass-mailing worm that sends emails with messages that look like mail system errors and automated spam warnings. To collect more addresses Mydoom.M also uses web search engines like Google and Yahoo." Old: "Mydoom.M is a mass-mailing worm that sends emails with messages that look like mail system errors and automated spam warnings."
2004-07-26 20:57	Updated information about removal tool/instructions.
2004-07-26 19:37	Name was changed. New: "Mydoom.M" Old: "MyDoom.M"
2004-07-26 19:37	Description was changed. New: "Mydoom.M is a mass-mailing worm that sends emails with messages that look like mail system errors and automated spam warnings." Old: "We received several reports of new Maydoom.M from different countries in Europe as well as from USA on July 26th, 2004. This variant is currently under analysis and more information will be posted later."
2004-07-26 19:27	Name was changed. New: "MyDoom.M" Old: "Mydoom.M"
2004-07-26 19:27	Description was changed. New: "We received several reports of new Maydoom.M from different countries in Europe as well as from USA on July 26th, 2004. This variant is currently under analysis and more information will be posted later." Old: "Mydoom.M is a mass-mailing worm that sends emails with messages that look like mail system errors and automated spam warnings."
2004-07-26 19:27	Name was changed. New: "Mydoom.M" Old: "MyDoom.M"
2004-07-26 19:27	Description was changed. New: "Mydoom.M is a mass-mailing worm that sends emails with messages that look like mail system errors and automated spam warnings." Old: "We received several reports of new Maydoom.M from different countries in Europe as well as from USA on July 26th, 2004. This variant is currently under analysis and more information will be posted later."
2004-07-26 18:07	Severity was raised from N/A to 2/3.
2004-07-26 17:07	Description was changed. New: "We received several reports of new Maydoom.M from different countries in Europe as well as from USA on July 26th, 2004. This variant is currently under analysis and more information will be posted later." Old: "We received several reports of new Maydoom.M from from different countries in Europe as well as from USA on July 26th, 2004. This variant is currently under analysis and more information will be poster later."

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-08-02 23:48	Description was changed. New: "Win32.Mydoom.O is a worm that spreads via e-mail and contains limited backdoor functionality. It has been distributed as a 28,832-byte, UPX-packed, Win32 executable. When executed, Mydoom.O copies itself to %Windows%\java.exe" Old: "N/A"
2004-08-02 23:48	File size was changed. New: "28,832" Old: "N/A"
2004-07-26 22:23	Severity was raised from 3/5 to 4/5.
2004-07-26 18:23	Severity was raised from N/A to 3/5.

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-10-01 06:50	Description was changed. New: "N/A" Old: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network. When first run the worm copies itself to either the Windows or Temp folders a..."
2004-08-16 23:38	Severity was raised from N/A to 4/5.
2004-08-16 23:38	Description was changed. New: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network. When first run the worm copies itself to either the Windows or Temp folders a..." Old: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network. When first run the worm copies itself to either the Windows or Temp folders as java.exe and adds one of the following registry entries to ensure that the copy is run each time Windows starts:"
2004-07-27 12:54	Description was changed. New: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network. When first run the worm copies itself to either the Windows or Temp folders as java.exe and adds one of the following registry entries to ensure that the copy is run each time Windows starts:" Old: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network. When first run the worm copies itself to either the Windows or Temp folders as java.exe and adds one of the following registry entries to ensure that the copy is run each time Windows starts:HKLM\Software\Microsoft\Windows\Curren tVersion\Run\JavaVMHKCU\Software\Microsoft\Wi ndows\CurrentVersion\Run\JavaVMW32/MyDoom-O also creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is the backdoor component of W32/MyDoom-OW32/MyDoom-O searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-O and the percentage chance that each is used are:www.google.com (45%)search.lycos.com (22.5%)search.yahoo.com (20%)www.altavista.com (12.5%)When choosing addresses to send itself to W32/MyDoom-O will avoid addresses which contain any of the following strings:mailer-dspamabusemastersampleaccounpr ivacycertificbugslistservsubmitntivisupportad minpagethe.batgold-certscafestenothelpfoonoso ftsiteratingmeyouyoursomeoneanyonenothingnobo dynooneinfowinrarwinziprarsoftsf.netsourcefor geripe.arin.googlegnu.gmailseclistsecurbar.fo o.comtrendupdateuslisdomainexamplesophosyahoo sperskpandahotmailmsn.msdn.microsoftsarc.syma avpThe email sent by the worm has a spoofed sender.The subject line may be blank or one of the following:hellohierrorstatustestreportdeliver y failedMessage could not be deliveredMail System Error - Returned MailDelivery reports about your e-mailReturned mail: see transcript for detailsReturned mail: Data format errorThe message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:Dear user of <domain>Mail server administrator of <domain> would like to inform you thatWe have detected that your e-mail account has been used to send a largeamount of unsolicited e-mail messages during this recent week.We suspect that your computer had been compromised by a recent virus and nowruns a trojan proxy server.Please follow our instructions in the attachment filein order to keep your computer safe.Virtually yours<domain> user support team.The message could not be deliveredThe original message was included as attachmentThe original message was received at <time> from <address>----- The following addresses had permanent fatal errors -----<address>----- Transcript of the session follows -----... while talking to host <hostname>:>>& ;gt; MAIL From:<address><<& amp;lt; 501 User unknownSession aborted>>> RCPT To:<address><<&am p;lt; 550 MAILBOX NOT FOUNDThe message was undeliverable due to the following reason(s):Your message was not delivered because the destination computer wasnot reachable within the allowed queue period. The amount of timea message is queued before it is returned depends on local configura-tion parameters.Most likely there is a network problem that prevented delivery, butit is also possible that the computer is turned off, or does nothave a mail system running right now.Your message was not delivered within <number> days:Mail server <hostname> is not responding.The following recipients did not receive this message:<address>Please reply to postmaster@<domain>if you feel this message to be in error.The attached file may be named similarly to the recipient's username or domain or using one of the following names:readmeinstructiontranscriptmailletterfi letextattachmentdocumentmessagewith an optional extension of DOC, TXT, HTM, HTML and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip file containing a file named as described above."
2004-07-27 11:54	Description was changed. New: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network. When first run the worm copies itself to either the Windows or Temp folders as java.exe and adds one of the following registry entries to ensure that the copy is run each time Windows starts:HKLM\Software\Microsoft\Windows\Curren tVersion\Run\JavaVMHKCU\Software\Microsoft\Wi ndows\CurrentVersion\Run\JavaVMW32/MyDoom-O also creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is the backdoor component of W32/MyDoom-OW32/MyDoom-O searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-O and the percentage chance that each is used are:www.google.com (45%)search.lycos.com (22.5%)search.yahoo.com (20%)www.altavista.com (12.5%)When choosing addresses to send itself to W32/MyDoom-O will avoid addresses which contain any of the following strings:mailer-dspamabusemastersampleaccounpr ivacycertificbugslistservsubmitntivisupportad minpagethe.batgold-certscafestenothelpfoonoso ftsiteratingmeyouyoursomeoneanyonenothingnobo dynooneinfowinrarwinziprarsoftsf.netsourcefor geripe.arin.googlegnu.gmailseclistsecurbar.fo o.comtrendupdateuslisdomainexamplesophosyahoo sperskpandahotmailmsn.msdn.microsoftsarc.syma avpThe email sent by the worm has a spoofed sender.The subject line may be blank or one of the following:hellohierrorstatustestreportdeliver y failedMessage could not be deliveredMail System Error - Returned MailDelivery reports about your e-mailReturned mail: see transcript for detailsReturned mail: Data format errorThe message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:Dear user of <domain>Mail server administrator of <domain> would like to inform you thatWe have detected that your e-mail account has been used to send a largeamount of unsolicited e-mail messages during this recent week.We suspect that your computer had been compromised by a recent virus and nowruns a trojan proxy server.Please follow our instructions in the attachment filein order to keep your computer safe.Virtually yours<domain> user support team.The message could not be deliveredThe original message was included as attachmentThe original message was received at <time> from <address>----- The following addresses had permanent fatal errors -----<address>----- Transcript of the session follows -----... while talking to host <hostname>:>>& ;gt; MAIL From:<address><<& amp;lt; 501 User unknownSession aborted>>> RCPT To:<address><<&am p;lt; 550 MAILBOX NOT FOUNDThe message was undeliverable due to the following reason(s):Your message was not delivered because the destination computer wasnot reachable within the allowed queue period. The amount of timea message is queued before it is returned depends on local configura-tion parameters.Most likely there is a network problem that prevented delivery, butit is also possible that the computer is turned off, or does nothave a mail system running right now.Your message was not delivered within <number> days:Mail server <hostname> is not responding.The following recipients did not receive this message:<address>Please reply to postmaster@<domain>if you feel this message to be in error.The attached file may be named similarly to the recipient's username or domain or using one of the following names:readmeinstructiontranscriptmailletterfi letextattachmentdocumentmessagewith an optional extension of DOC, TXT, HTM, HTML and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip file containing a file named as described above." Old: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network. When first run the worm copies itself to either the Windows or Temp folders as java.exe and adds one of the following registry entries to ensure that the copy is run each time Windows starts:"
2004-07-26 21:39	Description was changed. New: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network. When first run the worm copies itself to either the Windows or Temp folders as java.exe and adds one of the following registry entries to ensure that the copy is run each time Windows starts:" Old: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network."
2004-07-26 18:44	Description was changed. New: "W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine. The worm also allows unauthorised remote access to the computer via a network." Old: "A detailed analysis will be published here shortly. Please check again later."
2004-07-26 18:09	Name was changed. New: "W32/MyDoom-O" Old: "W32/Mydoom-O"

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-11-01 06:04	Severity was decreased from 3/5 to 2/5.
2004-07-28 21:50	Severity was decreased from 4/5 to 3/5.
2004-07-27 15:26	Description was changed. New: "W32.Mydoom.M@mm is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, that listens on TCP port 1034. The worm uses its own SMTP engine to send itself to email addresses it finds on the infected computer." Old: "The W32.Mydoom.M@mm mass-mailing worm:"
2004-07-27 15:26	File size was changed. New: "28,800 bytes" Old: "N/A"
2004-07-27 15:10	Description was changed. New: "The W32.Mydoom.M@mm mass-mailing worm:" Old: "W32.Mydoom.M@mm is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, that listens on TCP port 1034. The worm uses its own SMTP engine to send itself to email addresses it finds on the infected computer."
2004-07-27 15:10	File size was changed. New: "N/A" Old: "28,800 bytes"
2004-07-27 14:56	Description was changed. New: "W32.Mydoom.M@mm is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, that listens on TCP port 1034. The worm uses its own SMTP engine to send itself to email addresses it finds on the infected computer." Old: "The W32.Mydoom.M@mm mass-mailing worm:"
2004-07-27 14:56	File size was changed. New: "28,800 bytes" Old: "N/A"
2004-07-27 00:26	Description was changed. New: "The W32.Mydoom.M@mm mass-mailing worm:" Old: "The W32.Mydoom.L@mm mass-mailing worm:"
2004-07-27 00:26	Updated information about removal tool/instructions.
2004-07-26 22:00	Description was changed. New: "The W32.Mydoom.L@mm mass-mailing worm:" Old: "The W32.Mydoom.M@mm mass-mailing worm:"
2004-07-26 20:46	Severity was raised from 3/5 to 4/5.
2004-07-26 20:46	Description was changed. New: "The W32.Mydoom.M@mm mass-mailing worm:" Old: "The W32.Mydoom.L@mm mass-mailing worm:"
2004-07-26 20:40	Severity was decreased from 4/5 to 3/5.
2004-07-26 20:40	Description was changed. New: "The W32.Mydoom.L@mm mass-mailing worm:" Old: "The W32.Mydoom.M@mm mass-mailing worm:"
2004-07-26 20:20	Severity was raised from 3/5 to 4/5.
2004-07-26 20:20	Description was changed. New: "The W32.Mydoom.M@mm mass-mailing worm:" Old: "The W32.Mydoom.L@mm mass-mailing worm:"
2004-07-26 20:10	Description was changed. New: "The W32.Mydoom.L@mm mass-mailing worm:" Old: "W32.Mydoom.M@mmis a mass-mailing worm that opens a backdoor and uses its own SMTP engine to spread through email. "
2004-07-26 20:00	Description was changed. New: "W32.Mydoom.M@mmis a mass-mailing worm that opens a backdoor and uses its own SMTP engine to spread through email. " Old: "The W32.Mydoom.L@mm mass-mailing worm:"
2004-07-26 19:56	Description was changed. New: "The W32.Mydoom.L@mm mass-mailing worm:" Old: "W32.Mydoom.M@mmis a mass-mailing worm that opens a backdoor and uses its own SMTP engine to spread through email. "
2004-07-26 19:50	Description was changed. New: "W32.Mydoom.M@mmis a mass-mailing worm that opens a backdoor and uses its own SMTP engine to spread through email. " Old: "The W32.Mydoom.L@mm mass-mailing worm:"
2004-07-26 19:40	Description was changed. New: "The W32.Mydoom.L@mm mass-mailing worm:" Old: "W32.Mydoom.M@mmis a mass-mailing worm that opens a backdoor and uses its own SMTP engine to spread through email. "
2004-07-26 19:26	Description was changed. New: "W32.Mydoom.M@mmis a mass-mailing worm that opens a backdoor and uses its own SMTP engine to spread through email. " Old: "The W32.Mydoom.L@mm mass-mailing worm:"
2004-07-26 19:20	Description was changed. New: "The W32.Mydoom.L@mm mass-mailing worm:" Old: "W32.Mydoom.M@mmis a mass-mailing worm that opens a backdoor and uses its own SMTP engine to spread through email. "

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-08-12 23:45	Severity was decreased from 4/4 to 3/4.
2004-08-10 23:45	Severity was raised from 3/4 to 4/4.
2004-08-07 23:45	Severity was decreased from 4/4 to 3/4.
2004-08-02 23:49	Severity was raised from 3/4 to 4/4.
2004-07-31 23:49	Severity was decreased from 4/4 to 3/4.
2004-07-28 16:49	Severity was raised from 3/4 to 4/4.
2004-07-28 15:49	Severity was decreased from 4/4 to 3/4.
2004-07-27 12:54	Description was changed. New: "It installs a file that opens several TCP ports and acts as a backdoor." Old: "It installs a file that opens a port and acts as a backdoor."
2004-07-27 12:39	Severity was raised from 3/4 to 4/4.
2004-07-27 01:14	Severity was raised from 1/4 to 3/4.