Email-Worm.Win32.Mydoom.t

Technical Details

Mydoom.t is an Internet worm that spreads via an email attachment. It is packed with UPX; the unpacked size is about 34 KB and the compressed size is about 18 KB.

The worm is activated only if users double click on the infected attachment, whereupon the worm installs itself into the system and launches propagation routintes.

Installation

Mydoom.t copies itself into the Windows system folder under the name windrv32.exe. This file is then registered in the following autorun registry key:

[HKLM\Software\Windows\CurrentVersion\Run\]
 "WinSPF"="%SysDir%\windrv32.exe"

Mydoom.t also creates the mutex WWWWDefaceDWWW to identify itself in the system.

Infected email characterics

Sender name

Is either spoofed from the local address book on the infected machine or composed from the following components in random combinations:

first name:

last name:

Alex
Alexander
Andrew
Anthony
Barry
Bernard
Bill
Brian
Calvin
Carl
Charles
Christopher
Clifford
Daniel
David
Dennis
Donald
Douglas
Edward
Eric
Francisco
Frank
Gary
George
Gregory
Harold
Henry
James
Jason
Jay
Jeffrey
Jerry
Jim
John
Jon
Jose
Joseph
Joshua
Kenneth
Kevin
Larry
Leon
Leroy
Lloyd
Marcus
Mario
Mark
Matthew
Michael
Micheal
Miguel
Oscar
Patrick
Paul
Peter
Randall
Raymond
Richard
Ricky
Robert
Ronald
Ronnie
Scott
Stephen
Steven
Theodore
Thomas
Timothy
Tom
Tommy
Troy
Walter
William

Adams
Allen
Anderson
Baker
Brown
Campbell
Carter
Clark
Cruz
Davis
Freeman
Garcia
Gomez
Gonzalez
Green
Hall
Harris
Hernandez
Hill
Jackson
Johnson
Jones
King
Lee
Lewis
Lopez
Marshall
Martin
Martinez
Miller
Mitchell
Moore
Murray
Nelson
Ortiz
Parker
Perez
Phillips
Porter
Roberts
Robinson
Rodriguez
Scott
Simpson
Smith
Stevens
Taylor
Thomas
Thompson
Tucker
Turner
Walker
Webb
Wells
White
Williams
Wilson
Wright
Young

sender domain

Chosen at random from:

aol.com
dailymail.co.uk
gmx.net
hotmail.com
mail.com
t-online.de
yahoo.co.uk

Subject

Chosen at random from:

hello
here
Hi!
important
Information
my
News
Notice again
Private document
Re: Hello
Re: Hi
Re: Message
Re: Proof of concept
Re: Question
Re: Status
Re: Your document
read it immediately
Thank you!
thanks!
You win!

Body text

Chosen at random from:

apply patch.
apply this patch!
Can you confirm it?
For further details see the attachment.
For more details see the attachment.
fun game!
fun photos
fun!
game
I have attached document.
lol!
Monthly news report.
New game
Please answer quickly!
Please confirm the document.
Please confirm!
Please read the attached file!
Please read the attached file.
Please read the document.
Please read the important document.
Please see the attached file for details
relax
screensaverlol!
See attached file for details.
See the file.
See the file.
Thanks!
Thanks!
Virus removal tool
Waiting for a Response. Please read the attachment.
You are infected by virus. Run this exe
Your archive is attached.
Your requested mail has been attached.

Attachment name

Chosen at random from:

antivirus.exe
bill.zip
data.zip
details.zip
doc.zip
doc.zip
document.zip
file.exe
file.zip
fun.scr
game.exe
info.zip
information.zip
letter.zip
lol.scr
message,.zip
new.exe
new.zip
patch.exe
photo.exe
pic.exe
report.zip

bill.doc                        .pif
bill.rtf                        .pif
bill.txt                        .pif
doc.doc                         .pif
doc.rtf                         .pif
doc.txt                         .pif
document.doc                           .pif
mesg.doc                        .pif
mesg.rtf                        .pif
mesg.txt                        .pif
Message.html                    .pif
rep.txt                         .pif
report.doc                      .pif
report.rtf                      .pif
report.txt                      .pif
review.doc                      .pif
review.rtf                      .pif
review.txt                      .pif

Signature

Based on the following pattern:

+++ Attachment: No Virus found
+++ %s

Where "%s" is chosen at random from:

Bitdefender AntiVirus - www.bitdefender.com
F-Secure AntiVirus - www.f-secure.com
Kaspersky AntiVirus - www.kaspersky.com
MC-Afee AntiVirus - www.mcafee.com
MessageLabs AntiVirus - www.messagelabs.com
Norman AntiVirus - www.norman.com
Norton AntiVirus - www.symantec.de
Panda AntiVirus - www.pandasoftware.com

Propagation

Mydoom.t harvests addresses from the local address book and scans the machine for files with the follwoing extensions:

asp
cfg
cgi
dbx
dht
eml
htm
jsp
mht
msg

php
sht
stm
tbb
txt
uin
vbs
wab
xls

This Mydoom variant spreads by connecting directly to potential victim SMTP servers by constructing SMTP server names based on domain names it harvests from the infected machine.

Other

Mydoom.t contains a downloader function that attempts to download Backdoor.Win32.Surila from the following sites:

http://vugs.geog.uu.nl
http://www.ach.ch
http://www.hiw.kuleuven.ac.be
http://www.llc.unibo.it
http://www.mercyships.de
http://www.planetboredom.net
http://www.surrenderzeeland.nl

Mydoom.t contains the follwoing message from the coders:

We searching 4 work in AV industry.