Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Mydoom.r
Email-Worm.Win32.Mydoom.r
| Detected | Sep 03 2004 16:56 GMT |
| Released | Sep 03 2004 16:56 GMT |
| Published | Nov 10 2004 10:25 GMT |
Technical Details
This worm spreads via the Internet as an attachment to infected emails, and also via the Kazaa file-sharing network. It sends itself to email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file approximately 38KB in size, packed using UPX. The unpacked file is approximately 74KB in size.
Mydoom.r includes a backdoor function.
Installation
Once launched, the worm opens Windows Notepad, which will display a random selection of characters:
When installing, the worm copies itself as 'tasker.exe' to the Windows system directory, and then registers this file in the system registry. This ensures that the worm will be launched each time the system is rebooted.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Task" = "%System%\tasker.exe"
The worm creates a file named 'nemog.dll' in the Windows system directory. This file contains the backdoor component. The file is registered in the system registry.
[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32]
"(Default)"="%System%\Nemog.dll"
Propagation via email
In order to harvest email addresses, the worm scans the MS Windows address book, and files with the extensions listed below:
adbh aspd dbxn htmb phpq pl shtl tbbg wab
It will ignore addresses which contain the following text strings:
.edu .gov .mil abuse accoun acketst admin anyone arin. avp berkeley borlan bsd bugs ca certific contact example feste fido foo. fsf. gnu gold-certs google gov. help |
iana ibm.com icrosof icrosoft ietf info inpris isc.o isi.e kernel linux listserv math me mit.e mozilla mydomai no nobody nodomai noone not nothing ntivi page panda pgp |
postmaster privacy rating rfc-ed ripe. root ruslis samples secur sendmail service site soft somebody someone sopho submit support syma tanford.e the.bat unix usenet utgers.ed webmaster you your |
To send emails, the worm will establish a direct connection to the SMTP server on a victim machine.
Infected messages
Sender's name:
A name from the following list is used as the sender's name:
adam alex alice andrew anna bill bob brenda brent brian claudia dan dave david debby fred |
george helen jack james jane jerry jim jimmy joe john jose julie kevin leo linda maria |
mary matt michael mike peter ray robert sam sandra serg smith stan steve ted tom |
Message subject (chosen at random from the list below):
Error hello hi Mail Delivery System Mail Transaction Failed Server Report Status test
Message body:
- !!!!!!!!!!!, check the attachment!!!.
- (Norton Anti Virus : No Virusses Found , Check The Attachment For More Information.
- (Norton ANti Virus,Panda,Mcafee No Virusses Found).
- Check the attachment for more information!.
- check the attachment to get the lastest news.
- check.
- come back my friend.
- error , sorry we can't send the email so check the attachment.
- error to send the mail!!!!!.
- error, check the attachment for more information.
- failed to send the email!, check the attachment for more information.
- failed,check the attachment for more information.
- hello :)
- hello check the attachment thx.
- hello.
- here is what you need,thx.
- loooooool ;)))
- Mail transaction failed. Partial message is available.
- sorry we can't send the mail try later , check the attachment for more information.
- the attachment for more information.
- Try Later, Check the Attachment.
- you can check the attachment for more information.
- your attachment , thx.
Attachment name (chosen at random from the list below):
body data doc document file message readme test text
The attachment may have one of the following extensions:
body data doc document file message readme test text
Propagation via P2P networks
The worm scans the victim machine for a Kazaa client and copies itself to the file-sharing directory under the following names:
Cleaner.exe Crack.exe Fixtool.exe Hotmail hacker.exe Mydoom.exe Netsky.exe ps2 emulator.exe SoBig.exe Upload.exe Vahos.exe Viraus.exe Wenrar.exe Winzip.exe xbox emulator.exe XXX Pictures.exe XXX Videos.exe yahoo hacker.exe
Remote administration
The worm opens TCP port 5422 in order to receive commands. The backdoor component makes it possible for a remote user to access the entire victim machine. The backdoor component also has the capability to download files from the Internet and then launch them on the victim machine.
Other
Mydoom.r contains the following text string:
MSG To SkyNet-Netsky: i know skynet is sucks so fuck off and i will
complete my projects ok baby!,the second author for mydoom worms!!, he
will complete the project, more is coming soon better than better,
Kuwait
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Email-Worm.
Mydoom. r (Kaspersky Lab) - I-Worm.
MyDoom. r (Kaspersky Lab) - Virus:
W32/Mydoom. t. dll (McAfee) - W32/Mydoom-T (Sophos)
- W32/Mydoom.
DL. worm (Panda) - W32/Heuristic-424!Eldorado (FPROT)
- Worm:
Win32/Mydoom. T (MS(OneCare)) - Win32.
HLLM. MyDoom. 3 (DrWeb) - Win32/Mydoom.
U worm (Nod32) - Win32.
Mydoom. U@mm (BitDef7) - I-Worm.
Mydoom!CQ+PaqmG5fM (VirusBuster) - Win32:
Mydoom-BJ [Wrm] (AVAST) - Backdoor.
Win32. VB (Ikarus) - I-Worm/Mydoom.
T (AVG) - WORM/Mydoom.
T. dll (AVIRA) - W32.
Mydoom. R@mm (NAV) - W32/Suspicious_Gen3.
HLDH (Norman) - Worm.
Novarg. t (Rising) - Email-Worm.
Win32. Mydoom. r [AVP] (FSecure) - WORM_MYDOOM.
GEN (TrendMicro) - Trojan.
Win32. Generic!BT (Sunbelt) - I-Worm.
Mydoom!CQ+PaqmG5fM (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.