Email-Worm.Win32.Mydoom.e

Technical Details

This worm has also been called Mydoom.F, and is a modification of Mydoom.a.

It spreads via the Internet as a file attached to infected messages. The worm is a PE EXE file of 33KB or slightly larger, packed using UPX. The unpacked file is approximately 55KB in size. The worm is also able to send itself as a ZIP archive.

The worm is only activated if the user opens the archive and launches the infected file, by clicking twice on the attachment. The worm then installs itself on the systems and starts propagation.

The worm includes a backdoor function, and is programmed to carry out DoS attacks on www.microsoft.com and www.riaa.com

Everything points to this worm not being an original creation, but a separate version which has been created around the orignal source code of Mydoom.a. Part of the original code is present in this version, even though it serves no useful function.

Installation

Once launched, the worm may display a fake error message on the screen: 'File is corrupted,' 'File cannot be opened,' or 'Unable to open specified file'.

The worm may also create a file in the temporary system directory. This file contains a random selection of characters, and the worm may open it using Notepad.

It also creates a mutex 'jmydoat name of infected computer Xmtx' to flag its presence in the system.

When installing, the worm copies itself under a random name to the Windows system directory and registers this file in the system registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
random characters = "%System%\name of worm file

The worm then searchs all accessible disks from C: to Z: and copies itself under random names to all disks which it finds which include the words

shar 
startup 
start

in the name.

The worm creates a file with a random name and .dll extension in the Windows system directory. This file is 9724 bytes in size, and is the backdoor component, which is intended to open a backdoor on port 1080 and act as a proxy server.

The worm creates several copies of itself as ZIP archives in the Windows root directory. These files are then used to send mass emails. In order to flag its presence in the system, the worm also creates several additional keys in the system registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell HKCU\Software\Microsoft\Windows\CurrentVersion\Shell

Sending of email

In order to send copies of itself, the worm searches all accessible disks from C: to Z: for files with the following extensions:

wab 
mbx 
nch 
mmf 
ods 
rtf 
uin 
oft 
mht 
vbs 
msg 
pl 
eml 
adb 
tbb 
dbx 
asp 
php 
sht 
htm 
txt

It then sends itself to all email addresses found in these files.

Infected emails have the following characteristics:

Sender's address: any address found on the infected machine, or chosen from the following list

jerry 
bill 
smith 
jim 
sam 
james 
alex

A random selection of characters may also be used. In this case, after the @ symbol in the sender's address, one of the following domains will be used:

aol.com 
msn.com 
yahoo.com 
hotmail.com 
edu

Message header: (chosen at random)

hello 
hi 
Announcement 
read now! 
forget 
bug 
unknown 
fake 
Wanted 
recent news 
news 
stolen 
Attention 
Accident 
Schedule 
Re: Thank you 
Thank you 
Re: Details 
Details 
Re: Approved 
Approved 
hi, it's me 
Important 
Readme 
Read this message 
please read 
please reply 
Thank You very very much 
You use illegal File Sharing... 
Your IP was logged 
Your account is about to be expired 
Love is 
Love is... 
Undeliverable message 
Re: 
Your order was registered 
Your request was registered 
Your order is being processed 
Your request is being processed 
Current Status 
Your credit card 
Read it immediately! 
Read this 
Read it immediately 
Something for you 
For you 
For your information 
Information 
Warning 
You have 1 day left 
automatic notification 
automatic responder 
Notification 
Expired account 
Your account has expired 
Registration confirmation 
Confirmation 
Confirmation Required 
Returned Mail

Message body: (chosen at random)

Greetings 
See you 
Here it is 
You are bad 
Take it 
Reply 
Please, reply 
Okay 
OK 
Everything ok? 
Check the attached document. 
The document was sent in compressed format. 
Please see the attached file for details 
See the attached file for details 
Details are in the attached document. You need Microsoft Office to open it. Information about you 
We have received this document from your e-mail. 
Kill the writer of this document! 
Something about you 
I have your password :) 
You are a bad writer 
Is that yours? 
Is that from you? 
I wait for your reply. 
Here is the document. 
Read the details. 
I'm waiting

Attachment name: (chosen at random)

body 
message 
test 
data 
file 
text 
readme 
document 
doc 
msg 
photo 
resume 
image 
object 
website 
friend 
jokes 
joke 
approved 
paypal 
disc 
misc 
part3 
part2 
part4 
part1 
mail2 
list 
mail 
story 
about 
money 
check 
product 
notes 
your_document 
note 
information 
textfile 
posting 
post 
stuff 
attachment 
creditcard 
details

or a selection of random characters.

The attached file has one of the following extensions:

exe 
scr 
com 
pif 
bat 
cmd 
zip

and a second extension from the following list:

doc 
htm 
rtf 
xls 
jpg 
gif 
png 
txt 
exe 
pif 
scr

DoS attacks

If the system date is showing between the 17th and the 22nd of the month, there is a 66% that the worm will carry out a DoS attack on www.microsoft.com and a 33% chance that it will carry out a DoS attack on www.riaa.com. Mydoom.e will perform DoS attacks in exactly the same way as the other versions of Mydoom did, by sending multiple GET requests to port 80 of the site under attack.

Deletion of files

The worm searches all accessible disks from C: to Z: for files with the extensions .mdb, .doc, .xls, .sav, .jpg, .avi and .bmp and uses a random number generator to determine which files with these extensions should be deleted.

Other

The worm searches memory for processes containing the following text:

reged 
taskmo 
taskmg avp. 
avp32 
norton 
navapw 
navw3 
intrena 
mcafe

and attempts to stop them.