Email-Worm.Win32.Mydoom.d

Technical Details

This worm spreads via the Internet as an attachment to infected messages, and also via the Kazaa file-sharing network.

The worm itself is a Windows PE EXE file which is approximately 24KB in size and packed using UPX. The unpacked file is approximately 45KB in size.

The worm includes a backdoor function.

Installation

Once launched, Mydoom.d opens Windows Notepad, displaying a random selection of characters.

When installing itself to the system, the worm copies itself to the Windows system directory as "taskmon.exe" and then registers this file as a key to enable autorun in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = "%System%\taskmon.exe"

This ensures that the worm will be launched each time the system is rebooted.

The worm creates a file named "shimgapi.dll" in the Windows system directory. This file is the backdoor, which acts as a proxy server.

Propagation via email

The worm harvests addresses from the machine's address book, and also from files with the extensions listed below:

adb
asp
dbx
htm
php

pl
sht
tbb
txt
wab

Addresses containing the text strings listed below will be ignored:

.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
hotmail
iana

ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
msn.
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster

privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your

The worm establishes a direct connection to the recipient's SMTP server to send messages.

Infected messages

Sender's address:

The sender's address is created by combining the elements listed below:

Name

adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy

joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

Sender's domain

aol.com
hotmail.com
msn.com
yahoo.com

Message subject (chosen at random from the list below):

Error
hello
hi
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Test

Message body

The message body will be one of a number of versions coded into the worm e.g.:

test
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attachment name (chosen at random from the list below):

body
data
doc
document
file
message
readme
test
text

The attached file will have one of the extensions listed below:

bat
cmd
doc
exe
htm
pif
scr
tmp

Propagation via P2P networks

The worm checks to see if a Kazaa client is installed on the victim machine, and then copies itself to the file-sharing directory under the following names:

activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5

with one of the following extensions:

bat
exe
pif
scr

Remote administration

"Shimgapi.dll" functions as a proxy-server. The worm opens TCP port 3127 to listen for commands. The backdoor function provides a malicious remote user with complete access to the victim machine. In addition to this, the backdoor and download files from the Internet and launch them on the infected machine.

Other

On 02.28.58 on 14.02.2006, Mydoom.d will cease to function, and will no longer propagate.