Email-Worm.Win32.Mydoom.m
Email-Worm.Win32.Mydoom.m
Aliases
Email-Worm.Win32.Mydoom.m (Kaspersky Lab) is also known as:
-
I-Worm.Mydoom.m (Kaspersky Lab),
-
W32/Mydoom.o@MM (McAfee),
-
W32.Mydoom.M@mm (Symantec),
-
Win32.HLLM.MyDoom.54464 (Doctor Web),
-
W32/MyDoom-O (Sophos),
-
Win32/Mydoom.O@mm (RAV),
-
WORM_MYDOOM.M (Trend Micro),
-
Worm/Mydoom.M (H+BEDV),
-
W32/Mydoom.O@mm (FRISK),
-
Win32:Mydoom-M (ALWIL),
-
I-Worm/Mydoom.O (Grisoft),
-
Win32.Mydoom.M@mm (SOFTWIN),
-
Worm.Mydoom.M (ClamAV),
-
W32/Mydoom.N.worm (Panda),
-
Win32/Mydoom.R (Eset)
I-Worm.Mydoom.m spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file approximately 27KB in size, packed using UPX. The unpacked file is approximately 50KB in size.
The worm is only activated when a user opens the archive and launches the infected file by double-clicking on it. The worm will then install itself on the system and begin propagating.
The worm contains a backdoor function.
Part of the body of the worm is encrypted.
Installation
When installing, the worm copies itself as ‘java.exe’ to the Windows root directory, and registers this file in the system registry. This ensures the worm will be launched each time the infected system is booted.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] JavaVM = %windir%\java.exe
This ensures the worm will be launched each time the infected system is booted.
The worm also creates a file named ’services.exe.’, which is 8192 bytes in size, in the Windows root directory. This file is an additional component, and is also added to the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] Services = %windir%\services.exe
Symantec - 10% off Store Coupon
10% off Store Coupon Offer Expires 01/12/09
Coupon Code: 10offsid
Mailing messages
The worm searches the victim machine for email addresses to harvest, and then sends itself to these addresses by directly connecting to the recipient’s SMTP server.
It also harvests addresses by using the following search engines:
Google Lycos Altavista Yahoo
Infected messages
Sender’s address: (either chosen from the list below or spoofed):
MAILER-DAEMON Mail Administrator Automatic Email Delivery Software Post Office The Post Office Bounced mail Returned mail Mail Delivery Subsystem
Message header (chosen at random from the list below):
Message could not be delivered
hello
Hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
{{The|Your} m|M}essage could not be delivered
instruction
Message body (chosen at random from the list below)
The message body will be altered to correspond to the user’s details.
Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during { this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day}, {$T {user |technical |}support team.|The $T {support |}team.}
{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.
Your message {was not|could not be} delivered within $D days: {{{Mail s|S}erver}|Host} $i is not responding.
The following recipients {did|could} not receive this message: <$t>
Please reply to postmaster@{$F|$T} if you feel this message to be in error. The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}
—– The following addresses had permanent fatal errors —– {<$t>|$t}
{—– Transcript of {the ||}session follows —– … while talking to {host |{mail |}server ||||}{$T.|$i}: {>>> MAIL F{rom|ROM}:$f <<< 50$d {$f… |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>..
. {Mail quota exceeded|Message is too large} 554 <$t>… Service unavailable|550 5.1.2 <$t>… Host unknown (Name server: host not found)|554 {5. 0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|} Session aborted{, reason: lost connection|}|>>> RCPT To:<$t> <<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>… {User unknown|Invalid recipient|Not known here}}|>>> DATA {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded|}<<< 400}|} The original message was included as attachment {{The|Your} m|M}essage could not be delivered
Attachment name:
The attachment name is generated at random.
Attachment extension (chosen at random from the list below):
cmd bat com pif scr doc exe
The worm may also be sent in the form of a ZIP archive.
Other
The worm opens TCP port 1034 in order to receive remote commands.
