Email-Worm.Win32.Mydoom.q

Technical Details

Mydoom.q is an Internet worm that spreads via an email attachment. It is written in C++ and packed with UPX. The compressed file size is 27136 bytes and unpacked - 65024.

Installation

Once Mydoom.q is launched it copies the main component into the Windows directory under the name rasor38a.dll and into the Windows system folder under the name winpsd.exe. Finally, Mydoom.q creates the following key in the system registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "winpsd"="<Windows System Folder >\winpsd.exe"

Mydoom.q also creates a mutex named 43jfds93872 to prevent duplicate infections.

Propagation

Mydoom.q scans the infected machine for files with the following extensions:

txt
htmb
shtl
phpq
aspd
dbxn
tbbg
adbh
pl
wab

Email characteristics

Subject:

photos

Body text:

LOL!;))))

Attachment name:

photos_arc.exe

Payload

Mydoom.q attempts to download Backdoor.Win32.Surila.g, a Trojan, from a list of infected sites contained in the body of the worm:

http://www.richcolour.com/ispy.x.xxx
http://www.richcolour.com/coco3.xxx
http://www.richcolour.com/guestbook/temp/temp587.xxx
http://zenandjuice.com/guestbook/temp/temp728.xxx

If the backdoor is downloaded successfully, it is saved in the Windows directory under the name winvpn32.exe and then launched. A key is also created in the system registry signaling successful installation:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer]
 "InstaledFlashhMX"="1"

Mydoom.q scans for this flag and stops attempting to download the Trojan once the flag is tagged '1'.

Other

Mydoom.q is programmed to stop spreading on August 20 at 21:11:11 (according to the local machine time).

However, Backdoor.Win32.Surila.g does not have an expiration date, meaning that infected machines remain open to remote adminstration unless the Trjoan is removed.