Email-Worm.Win32.Mydoom.u

Technical Details

This worm spreads via the Internet as an attachment to infected messages. The worm will download Backdoor.Win32.Surila from a website and activate it.

The worm is packed using UPX; the compressed file is about 18 KB in size and the unpacked file is approximately 44 KB in size.

Installation

During installation the worm copies itself as "windrv32.exe" to the Windows system directory and then registers this file in the system registry as a key to enable autorun:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "WinSPF" = "%WinSysDir%\windrv32.exe"

This ensures that the worm will be launched each time the system is rebooted.

Propagation via email

The worm sends itself to all email addresses harvested from the victim computer. The worm looks for email addresses in Windows Address Book and in the files with the following extensions:

asp
cfg
cgi
dbx
dht
eml
htm
jsp
mht
msg

php
sht
stm
tbb
txt
uin
vbs
wab
xls

The worm establishes a direct connection to the recipient's SMTP server to send messages to all harvested addresses.

Infected messages

Sender's address:

The sender's address is constructed from random combinations of the following elements:

First name:

Alex
Alexander
Andrew
Anthony
Barry
Bernard
Bill
Brian
Calvin
Carl
Charles
Christopher
Clifford
Daniel
David
Dennis
Donald
Douglas
Edward
Eric
Francisco
Frank
Gary
George

Gregory
Harold
Henry
James
Jason
Jay
Jeffrey
Jerry
Jim
John
Jon
Jose
Joseph
Joshua
Kenneth
Kevin
Larry
Leon
Leroy
Lloyd
Marcus
Mario
Mark
Matthew

Michael
Miguel
Oscar
Patrick
Paul
Peter
Randall
Raymond
Richard
Ricky
Robert
Ronald
Ronnie
Scott
Stephen
Steven
Theodore
Thomas
Timothy
Tom
Tommy
Troy
Walter
William

Last name:

Adams
Allen
Anderson
Baker
Brown
Campbell
Carter
Clark
Cruz
Davis
Freeman
Garcia
Gomez
Gonzalez
Green
Hall
Harris
Hernandez
Hill
Jackson

Johnson
Jones
King
Lee
Lewis
Lopez
Marshall
Martin
Martinez
Miller
Mitchell
Moore
Murray
Nelson
Ortiz
Parker
Perez
Phillips
Porter
Roberts

Robinson
Rodriguez
Scott
Simpson
Smith
Stevens
Taylor
Thomas
Thompson
Tucker
Turner
Walker
Webb
Wells
White
Williams
Wilson
Wright
Young

Subject (chosen at random from the list below):

hello
here
hi
Hi!
important
Information
my
News
Notice again
Private document
Re: Hello
Re: Hi
Re: Message
Re: Proof of concept
Re: Question
Re: Status
Re: Your document
read it immediately
Thank you!
thanks!
You win!

Message body (chosen at random from the list below):

apply patch.
apply this patch!
Can you confirm it?
For further details see the attachment....
For more details see the attachment.
fun game!
fun photos
fun!
game
I have attached document.
lol!
Monthly news report.
New game
Please answer quickly!
Please confirm the document.
Please confirm!
Please read the attached file!
Please read the attached file.
Please read the document.
Please read the important document.
Please see the attached file for detail...
relax
screensaverlol!
See attached file for details.
See the file.
See the file.
Thanks!
Thanks!
Virus removal tool
Waiting for a Response. Please read the...
You are infected by virus. Run this exe...
Your archive is attached.
Your requested mail has been attached.

Signature

+++ Attachment: No Virus found
+++ %s

"%s" is chosen at random from:

Bitdefender AntiVirus - www.bitdefender.com
F-Secure AntiVirus - www.f-secure.com
Kaspersky AntiVirus - www.kaspersky.com
MC-Afee AntiVirus - www.mcafee.com
MessageLabs AntiVirus - www.messagelabs.com
Norman AntiVirus - www.norman.com
Norton AntiVirus - www.symantec.de
Panda AntiVirus - www.pandasoftware.com

Attachment name (chosen at random from the list below):

bill.doc                  .pif
bill.rtf                    .pif
bill.txt                   .pif
doc.doc                .pif
doc.rtf                   .pif
doc.txt                  .pif
document.doc      .pif
mesg.doc             .pif
mesg.rtf                .pif
mesg.txt               .pif
Message.html      .pif
rep.txt                  .pif
report.doc             .pif
report.rtf               .pif
report.txt              .pif
review.doc            .pif
review.rtf              .pif
review.txt             .pif

antivirus.exe
bill.zip
data.zip
details.zip
doc.zip
doc.zip
document.zip
file.exe
file.zip
fun.scr
game.exe
info.zip
information.zip
letter.zip
lol.scr
message,.zip
new.exe
new.zip
patch.exe
photo.exe
pic.exe
report.zip

Remote Administration

The worm contains a downloader function that attempts to download Backdoor.Win32.Surila from the following sites:

http://vugs.geog.uu.nl
http://www.ach.ch
http://www.hiw.kuleuven.ac.be
http://www.llc.unibo.it
http://www.mercyships.de
http://www.planetboredom.net
http://www.surrenderzeeland.nl

Other

After September 20th, 2004, 01:18:31 the worm stops working and deletes its file from the hard drive.