Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Mydoom.v
Email-Worm.Win32.Mydoom.v
| Detected | Sep 10 2004 08:55 GMT |
| Released | Sep 10 2004 08:55 GMT |
| Published | Sep 23 2004 09:45 GMT |
Technical Details
Mydoom.v is another variant of the Mydoom worm and spreads as an infected email attachment.
This variant is a Windows PE exe file, packed with UPX: the packed file is approximately 18 KB in size and the unpacked file is approximately 44 KB.
Mydoom.v is activated only when the recipient double clicks on the attachment.
Installation
Once the user activates Mydoom.v the worm copies itself to the Windows system folder under the name win32s.exe and registers this file in the system registry:
[HKLM\Software\Windows\CurrentVersion\Run\]
Win32System = %SysDir%\win32s.exe
This will ensure the worm is launched each time the system is rebooted.
It also creates the mutex "LLLf54fxrDLLL" to flag its presence in the system. This ensures that only one copy of the worm will be run at any time.
Progagation via email
Mydoom.v scans the local address book and files with the extensions listed below:
asp cfg cgi dbx dht eml htm |
jsp mbx mht msg php sht stm |
tbb txt uin wab xls |
The worm harvests domain names from the local machines and establishes a direct connection to potential victim SMTP servers directly.
Infected messages
Subject (chosen at random from the list below):
FW: (no subject) FW: 2 new photos FW: hello sweety :> FW: hi FW: hi, it's me FW: it's me FW: jenna's photos :) FW: my photos FW: new photos FW: remember me?.. FW: that's me :-D
Sender's address
The sender name will contain a first name, last name, and domain name combined at random from the lists below:First name:
Alex Alexander Andrew Anthony Barry Bernard Bill Brian Calvin Carl Charles Christopher Clifford Daniel David Dennis Donald Douglas Edward Eric Francisco Frank Gary George Gregory |
Harold Henry James Jason Jay Jeffrey Jerry Jim John Jon Jose Joseph Joshua Kenneth Kevin Larry Leon Leroy Lloyd Marcus Mario Mark Matthew Michael Micheal |
Miguel Oscar Patrick Paul Peter Randall Raymond Richard Ricky Robert Ronald Ronnie Scott Stephen Steven Theodore Thomas Timothy Tom Tommy Troy Walter William |
Last name:
Adams Allen Anderson Baker Brown Campbell Carter Clark Cruz Davis Freeman Garcia Gomez Gonzalez Green Hall Harris Hernandez Hill Jackson |
Johnson Jones King Lee Lewis Lopez Marshall Martin Martinez Miller Mitchell Moore Murray Nelson Ortiz Parker Perez Phillips Porter Roberts |
Robinson Rodriguez Scott Simpson Smith Stevens Taylor Thomas Thompson Tucker Turner Walker Webb Wells White Williams Wilson Wright Young |
Sender's domain:
aol.com cox.net dailymail.co.uk gmx.net hotmail.com mail.com msn.com t-online.de yahoo.co.uk yahoo.com
Sample messages:
-----Original Message----- From: jenna (e-mail) Sent: Tuesday, September 7, 2004 11:38 AM To: ma kittie my photos zipped )) kiss, jenna
-----Original Message----- From: jenny Sent: Tuesday, September 7, 2004 10:23 AM To: Mr.X (e-mail) photos you asked jenny
-----Original Message----- From: Jenna Knukles Sent: Tuesday, September 7, 2004 9:05 AM To: Friends Group in archive my photos Jenna :)
-----Original Message----- From: Jena Sent: Tuesday, September 7, 2004 5:23 AM To: friend So.. Am I Hot? :) Waining For Your Answer Jena
-----Original Message----- From: Jeny Sent: Tuesday, September 7, 2004 8:57 PM To: Neo see the photos :)) kiss you, jeny
-----Original Message----- From: jenny k. Sent: Tuesday, September 7, 2004 10:23 AM To: My Tiger (e-mail) new fotos you asked jenny k
-----Original Message----- From: Jenna Knukles Sent: Tuesday, September 7, 2004 9:05 AM in archive my new fotos Jenna K :)
-----Original Message----- From: Jena K. Sent: Tuesday, September 7, 2004 5:23 AM To: friends So.. What Do You Think... Am I Hot? :) Waining For Your Answer Jena Key
-----Original Message----- From: Jeny K. Sent: Tuesday, September 7, 2004 8:57 PM To: Morpheus check out the new photos :)) miss you, jeny k
Attachment name (chosen at random from the following list):
2004042301.jpg .pif julia038.jpg .pif marie_dancing.jpg .pif me_01.jpg .pif nude_.jpg .pif photo08.jpg .pif sunny.jpg .pif with_flowers.jpg .pif arc.exe.safe foto.exe fotos.exe fotos.zip images.zip my_foto.exe my_photos.exe my_photos.zip myfoto.exe myfoto.exe.safe myphotos.zip myphotos_arc.exe new_photos.exe new_photos.zip newphotos.exe photo_se.exe photoarchive.exe photofile.exe.safe photos.exe.safe photos.selfextracting.exe.safe photos.zip photos_arc.exe
Signature:
+++ Attachment: No Virus found +++ %s
with %s being chosen at random from the following list:
Bitdefender AntiVirus - www.bitdefender.com F-Secure AntiVirus - www.f-secure.com Kaspersky AntiVirus - www.kaspersky.com MC-Afee AntiVirus - www.mcafee.com MessageLabs AntiVirus - www.messagelabs.com Norman AntiVirus - www.norman.com Norton AntiVirus - www.symantec.de Panda AntiVirus - www.pandasoftware.com
Other
Mydoom.v attemts to download Backdoor.Win32.Surila (a remote administration tool) from the following sites:
http://64.40.98.94 http://69.93.58.116 http://www.il-legno.it http://www.masteratwork.com http://www.mercyships.de http://www.professionals-active.com
NB A lot of sites identified as having malware are often closed or blocked by law enforcement agencies shortly after they appear on the Internet.
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Email-Worm.
Mydoom. v (Kaspersky Lab) - I-Worm.
Mydoom. v (Kaspersky Lab) - Virus:
W32/Mydoom. gen@MM (McAfee) - W32/MyDoom-W (Sophos)
- Worm.
Mydoom. Gen-unp (ClamAV) - W32/Mydoom.
gen. worm (Panda) - W32/Mydoom.
CF@mm (FPROT) - Worm:
Win32/Mydoom. V@mm (MS(OneCare)) - Win32.
HLLM. MyDoom. 34816 (DrWeb) - Win32/Mydoom.
Y worm (Nod32) - Win32.
Mydoom. W@mm (BitDef7) - I-Worm.
Mydoom. aa (VirusBuster) - Win32:
Mydoom-BD [Wrm] (AVAST) - Email-Worm.
Win32. Mydoom. V (Ikarus) - I-Worm/Mydoom.
V (AVG) - WORM/Mydoom.
V (AVIRA) - W32.
Mydoom. V@mm (NAV) - W32/Mydoom.
CH@mm (Norman) - Worm.
Novarg. w (Rising) - Email-Worm.
Win32. Mydoom. v [AVP] (FSecure) - WORM_MYDOOM.
GEN (TrendMicro) - Trojan.
Win32. Generic!BT (Sunbelt) - I-Worm.
Mydoom. aa (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.