English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Email-Worm.Win32.Mydoom.m

Detected Jul 26 2004 15:03 GMT
Released Aug 20 2004 13:07 GMT
Published Jul 26 2004 15:03 GMT

Technical Details

I-Worm.Mydoom.m spreads via the Internet as an attachment to infected messages.

The worm itself is a Windows PE EXE file approximately 27KB in size, packed using UPX. The unpacked file is approximately 50KB in size.

The worm is only activated when a user opens the archive and launches the infected file by double-clicking on it. The worm will then install itself on the system and begin propagating.

The worm contains a backdoor function.

Part of the body of the worm is encrypted.

Installation

When installing, the worm copies itself as 'java.exe' to the Windows root directory, and registers this file in the system registry. This ensures the worm will be launched each time the infected system is booted.

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  JavaVM = %windir%\java.exe

This ensures the worm will be launched each time the infected system is booted.

The worm also creates a file named 'services.exe.', which is 8192 bytes in size, in the Windows root directory. This file is an additional component, and is also added to the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  Services = %windir%\services.exe

Mailing messages

The worm searches the victim machine for email addresses to harvest, and then sends itself to these addresses by directly connecting to the recipient's SMTP server.

It also harvests addresses by using the following search engines:

Google
Lycos
Altavista
Yahoo

Infected messages

Sender's address: (either chosen from the list below or spoofed):

MAILER-DAEMON
Mail Administrator
Automatic Email Delivery Software
Post Office
The Post Office
Bounced mail
Returned mail
Mail Delivery Subsystem

Message header (chosen at random from the list below):

Message could not be delivered
hello
Hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details  
Returned mail: Data format error  
{{The|Your} m|M}essage could not be delivered  
instruction

Message body (chosen at random from the list below)

The message body will be altered to correspond to the user's details.

Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}

{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during { this|the {last|recent}} week.

{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.

{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.

{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day}, {$T {user |technical |}support team.|The $T {support |}team.}

{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:

Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.

Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

Your message {was not|could not be} delivered within $D days: {{{Mail s|S}erver}|Host} $i is not responding.

The following recipients {did|could} not receive this message: <$t>

Please reply to postmaster@{$F|$T} if you feel this message to be in error. The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}

----- The following addresses had permanent fatal errors ----- {<$t>|$t}

{----- Transcript of {the ||}session follows ----- ... while talking to {host |{mail |}server ||||}{$T.|$i}: {>>> MAIL F{rom|ROM}:$f <<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>..

. {Mail quota exceeded|Message is too large} 554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5. 0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|} Session aborted{, reason: lost connection|}|>>> RCPT To:<$t> <<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded|}<<< 400}|} The original message was included as attachment {{The|Your} m|M}essage could not be delivered

Attachment name:

The attachment name is generated at random.

Attachment extension (chosen at random from the list below):

cmd
bat
com
pif
scr
doc
exe

The worm may also be sent in the form of a ZIP archive.

Other

The worm opens TCP port 1034 in order to receive remote commands.


Bookmark and Share
Share
Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

  • using a direct connection to a SMTP server using the email directory built into the worm’s code
  • using MS Outlook services
  • using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

  • the address book in MS Outlook
  • a WAB address database
  • .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
  • emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.


Other versions

Aliases

Email-Worm.Win32.Mydoom.m (Kaspersky Lab) is also known as:

  • Email-Worm.Mydoom.m (Kaspersky Lab)
  • I-Worm.Mydoom.m (Kaspersky Lab)
  • I-Worm.MyDoom.gen (Kaspersky Lab)
  • Virus: W32/Mydoom.o@MM (McAfee)
  • W32/Sality-AA (Sophos)
  • W32/MyDoom-O (Sophos)
  • W32.Sality.Q-1 (ClamAV)
  • Worm.Mydoom.M-unp (ClamAV)
  • Worm.Mydoom.M (ClamAV)
  • W32/Mydoom.N.worm (Panda)
  • W32/Mydoom.AY@mm (FPROT)
  • W32/Mydoom.O@mm (FPROT)
  • W32/Sality.AD (FPROT)
  • Virus:Win32/Sality.R (MS(OneCare))
  • Worm:Win32/Mydoom.O@mm (MS(OneCare))
  • Win32.HLLP.Sector (DrWeb)
  • Win32.HLLM.MyDoom.49 (DrWeb)
  • Win32/Sality.NAJ virus (Nod32)
  • Win32/Mydoom.R worm (Nod32)
  • Worm.Generic.24520 (BitDef7)
  • Win32.Mydoom.M@mm (BitDef7)
  • Win32:Mydoom-M [Wrm] (AVAST)
  • Win32:Mydoom-L2 [Wrm] (AVAST)
  • Email-Worm.Win32.Mydoom.M (Ikarus)
  • Email-Worm.Win32.Mydoom (Ikarus)
  • Dropper.Generic_c.GH (AVG)
  • I-Worm/Mydoom (AVG)
  • I-Worm/Mydoom.O (AVG)
  • W32/Sality.Q (AVIRA)
  • WORM/Mydoom.M (AVIRA)
  • WORM/Mydoom.M.unp (AVIRA)
  • W32.Mydoom!gen (NAV)
  • W32.Mydoom.M@mm (NAV)
  • W32.Sality.U (NAV)
  • Worm.Mail.Mydoom.x (Rising)
  • Worm.Mail.Mydoom.dh (Rising)
  • W32/Mydoom.M@mm [Orion] (FSecure)
  • PE_SALITY.AS (TrendMicro)
  • WORM_MYDOOM.GEN (TrendMicro)