English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Email-Worm.Win32.Mydoom.a

Email-Worm.Win32.Mydoom.a

Detected	Jan 27 2004 07:55 GMT
Released	Aug 16 2007 10:00 GMT
Published	Jan 27 2004 07:55 GMT

Technical Details

Also known as Novarg.

This worm spreads via the Internet in the form of files attached to infected messages. It also spreads via the file sharing network Kazaa. The worm itself is a Windows PE EXE file of 22528 bytes, compressed using UPX. The decompressed file is approximately 40KB in size.

The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.

The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the site www.sco.com on 1st February 2004.

Part of the body of the worm is encrypted.

Installation

Following launch, the worm opens Windows Notepad, showing a random selection of symbols:

During installation, the worm copies itself under the name taskmon.exe to the Windows system directory, and registers this file in the system registry auto-run key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "TaskMon" = "%System%\taskmon.exe"

The worm creates a file shimgapi.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
 "(Default)" = "%SysDir%\shimgapi.dll"

Shimgapi.dll will therefore launch as a procedure linked to Explorer.exe.

The worm also creates a file called Message in the temporary directory (usually in windir\temp). This file contains a random selection of symbols.

So that the worm can identify itself in the system, it creates several additional keys in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]

While running it also creates a unique identifier SwebSipxSmtxSO.

Mailing of messages

When sending infected messages the worm uses its own SMTP engine. The worm attempts to connect directly to the recipient mail server.

In order to find email addresses to send infected messages to, the worm searches for files with the following extensions:

asp
dbx
tbb
htm
sht
php
adb
pl
wab
txt

and gathers email addresses found in these files. The worm ignores addresses with the suffix .edu.

Infected messages have the following characteristics:

Sender's address:

random

Message header: (chosen at random from the following list)

test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message body: (chosen at random from the following list)

test

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.

The message contains Unicode characters and has been sent
as a binary attachment.

Mail transaction failed. Partial message is available.

Attachment name: (may be one word from the list below, or two words from the list below joined by an underscore)

document
readme
doc
text
file
data
test
message
body

The attachment may have one of the following extensions:

pif
scr
exe
cmd
bat

The worm may also send messages with a meaningless selection of characters in the message head, message body or attachment name.

Replication via P2P

The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with the following extensions:

bat
exe
scr
pif

Other

Shimgapi.dll is a proxy-server; the worm opens a TCP port between 3127 and 3198 on the infected machine in order to receive commands. The backdoor function allows the creator of the worm to gain full access to the system. In addition to this, the backdoor can execute random files downloaded from the Internet.

The worm also contains a function which enables it to carry out DoS attacks on the site www.sco.com. This function should activate on the 1st February and continue to work until 12th Febuary 2004. The worm will send a GET request every millisecond to port 80 of the site being attacked, which under the conditions of a global epidemic may lead to total breakdown of the site.

Print

Share

Malicious programs

Viruses and worms

Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

using a direct connection to a SMTP server using the email directory built into the worm’s code
using MS Outlook services
using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

the address book in MS Outlook
a WAB address database
.txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Other versions

Email-Worm.Win32.Mydoom.aa

Email-Worm.Win32.Mydoom.ab

Email-Worm.Win32.Mydoom.b

Email-Worm.Win32.Mydoom.d

Email-Worm.Win32.Mydoom.e

Email-Worm.Win32.Mydoom.g

Email-Worm.Win32.Mydoom.l

Email-Worm.Win32.Mydoom.m

Email-Worm.Win32.Mydoom.n

Email-Worm.Win32.Mydoom.q

Email-Worm.Win32.Mydoom.r

Email-Worm.Win32.Mydoom.t

Email-Worm.Win32.Mydoom.u

Email-Worm.Win32.Mydoom.v

Email-Worm.Win32.Mydoom.y

Aliases

Email-Worm.Win32.Mydoom.a (Kaspersky Lab) is also known as:

Email-Worm.Mydoom.a (Kaspersky Lab)
I-Worm.Mydoom.a (Kaspersky Lab)
I-Worm.Novarg (Kaspersky Lab)
Virus: W32/Mydoom.a@MM (McAfee)
Virus: W32/Mydoom.a@MM!zip (McAfee)
W32/MyDoom-A (Sophos)
Worm.SCO.A-1 (ClamAV)
W32/Mydoom.A.worm (Panda)
W32/Mydoom.A@mm (FPROT)
Worm:Win32/Mydoom.A@mm (MS(OneCare))
Win32.HLLM.MyDoom (DrWeb)
Win32.HLLM.MyDoom.32768 (DrWeb)
Win32.Novarg.A@mm (BitDef7)
I-Worm.Mydoom.a (VirusBuster)
Win32:Mydoom-CA [Wrm] (AVAST)
Email-Worm.Win32.Mydoom (Ikarus)
Win32/Cryptor (AVG)
I-Worm/Mydoom.A (AVG)
document.htm .pif <<< WORM/Mydoom.A (AVIRA)
WORM/Mydoom.A.3 (AVIRA)
document.pif <<< WORM/Mydoom.A (AVIRA)
W32.Mydoom.A@mm (NAV)
NseCheckFile2() returned 0x00010018 (Norman)
W32/Mydoom.A@mm (NAI)
WORM_MYDOOM.BU (PCCIL)
Worm.Mail.Mydoom.dt (Rising)
Email-Worm.Win32.Mydoom.a [AVP] (FSecure)
WORM_MYDOOM.BU (TrendMicro)
Email-Worm.Win32.Mydoom.gen (v) (Sunbelt)
I-Worm.Mydoom.a (VirusBusterBeta)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com