Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Mydoom.y
Email-Worm.Win32.Mydoom.y
| Detected | Sep 15 2004 08:06 GMT |
| Released | Sep 15 2004 08:06 GMT |
| Published | Sep 15 2004 08:10 GMT |
Technical Details
This worm spreads via the Internet as an attachment to infected messages. It also spreads via file-sharing networks, and through the vulnerability in Microsoft Windows LSASS. The worm also has the ability to propagate by sending URLs by ICQ - these URLs are of sites which contain the body of the worm.
It is written in Microsoft Visual C++, and packed using UPX. The packed file is 69632 bytes in size.
Installation
The behaviour of the worm when launching depends on the version of Windows being run.
When lauching on Windows 9x systems, the worm:
Registers itself in the system registry to ensure that it is launched each time the system is rebooted:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] RPCserv=<path to file>Creates the mutex "ertglddfgd" to flag its presence in the system. This ensures that only one copy of the worm will be launched.
When launching on Windows NT/ 2000/ XP systems, the worm:
Copies the file containing itself to the Windows directory as 'services.exe'.
Registers itself as a service under the name 'NetBios Ext'. This service is then registered in the system registry:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBios Ext] "ImagePath" = %Windows%\services.exe serv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBios Ext] "ImagePath" = %Windows%\services.exe servCreates the mutex "ertglddfgd" to flag its presence in the system. This ensures that only one copy of the worm will be launched.
Propagation
Propagation via attachments to infected emails
The worm harvests email addresses from files with the following extensions:
asp cfg cgi dbx dht eml htm |
jsp mbx mht msg php sht stm |
tbb txt uin wab xls |
Messages are not sent to addresses which contain the following text strings:
.gov .mil @foo. @iana abuse accoun acketst admin antivi anyone arin. avp. berkeley borlan bsd certific contact example feste fido fsf. gnu gold-certs google gov. help iana |
ibm.com icq.com icrosof icrosoft ietf info inpris isc.o isi.e kasp kernel linux listserv math messagelabs mit.e mozilla mydomai news nobody nodomai noone noreply nothing ntivi panda pgp |
postmaster privacy rating rfc-ed ripe. root ruslis samples secur sendmail service site somebody someone sopho spam submit support syman tanford.e unix upport usenet utgers.ed webmaster www |
Characteristics of infected emails:
Sender's mail server (chosen at random from the list below):
@1access.net @a1isp.net @accessus.net @address.com @ameralinx.net @aol.com @apci.net @arczip.com @aristotle.net @att.net @cableone.net @cais.com @canada.com @cayuse.net @ccp.com @ccpc.net @chello.com @compuserve.com @core.com @cox.net @cybernex.net @dailymail.co.uk @dialupnet.com @earthlink.net @eclipse.net @eisa.com |
@ev1.net @excite.com @fast.net @fcc.net @flex.com @gbronline.com @globalbiz.net @globetrotter.net @gmx.net @highstream.net @hiwaay.net @hotmail.com @ieway.com @inext.fr @infoave.net @iquest.net @isp.com @ispwest.com @istep.com @juno.com @loa.com @macconnect.com @madriver.com @mail.com @msn.com @nccw.net |
@netcenter.com @netrox.net @netzero.net @pacific.net.sg @palm.net @pathlink.com @peoplepc.com @pics.com @rcn.com @ricochet.com @surfree.com @tiscali.com @toad.net @t-online.com @t-online.de @ultimanet.com @verizon.net @wanadoo.com @worldcom.com @worldshare.net @wwc.com @yahoo.co.uk @yahoo.com @ziplink.net |
Message subject:
(no subject) :) :)) 2 new photos FW: FW: (no subject) FW: 2 new photos FW: Cool FW: hello sweety :> FW: hi FW: hi, it's me FW: it's me FW: jenna's photos :) FW: my photos FW: new photos FW: remember me?.. FW: that's me :-D FW:cool FW:COOL! |
FW:fun pictures hello sweety :> hi hi, it's me it's me LOOK! my photos new photos Re: Re:cool Re:COOL! Re:fun pictures Re[2]: Re[2]:cool Re[2]:COOL! Re[2]:fun pictures remember me?.. that's me :-D |
Message text:
-----Original Message----- From: Jeny K. Sent: Monday, September 13, 2004 8:57 PM To: Morpheus check my new photos :)) miss you, jeny k
-----Original Message----- From: Jena K. Sent: Monday, September 13, 2004 5:23 AM To: friends Check Out Archive.. So.. What Do You Think... Am I Hot? :) Waining For Your Answer Jena Key
-----Original Message----- From: jenny k. Sent: Monday, September 13, 2004 10:23 AM To: My Tiger (e-mail) new fotos(archived) you asked jenny k
-----Original Message----- From: jenna k. (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: Cat my new fotos archived )) kiss, jenna k
-----Original Message----- From: Jeny Sent: Monday, September 13, 2004 8:57 PM To: Neo see the photos in attached archive :)) kiss you, jeny
-----Original Message----- From: Jena Sent: Monday, September 13, 2004 5:23 AM To: friend Photos in archive.. So.. Am I Hot? :) Waining For Your Answer Jena
-----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM To: Friends Group in self-extracting archive my photos Jenna :)
-----Original Message----- From: jenna (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: ma kittie my photos archived )) kiss, jenna fun flash game! fun flash! game! fun game! Print money at home! look at atach
-----Original Message----- From: Jeny K. Sent: Monday, September 13, 2004 8:57 PM To: Morpheus check out the new photos :)) miss you, jeny k
-----Original Message----- From: Jena K. Sent: Monday, September 13, 2004 5:23 AM To: friends So.. What Do You Think... Am I Hot? :) Waining For Your Answer Jena Key
-----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM in archive my new fotos Jenna K :)
-----Original Message----- From: jenny k. Sent: Monday, September 13, 2004 10:23 AM To: My Tiger (e-mail) new fotos you asked jenny k
-----Original Message----- From: jenna k. (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: Cat my new fotos zipped )) kiss, jenna k
-----Original Message----- From: Jeny Sent: Monday, September 13, 2004 8:57 PM To: Neo see the photos :)) kiss you, jeny
-----Original Message----- From: Jena Sent: Monday, September 13, 2004 5:23 AM To: friend So.. Am I Hot? :) Waining For Your Answer Jena
-----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM To: Friends Group in archive my photos Jenna :)
-----Original Message----- From: jenny Sent: Monday, September 13, 2004 10:23 AM To: Mr.X (e-mail) photos you asked jenny
-----Original Message----- From: jenna (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: ma kittie my photos zipped )) kiss, jenna
do you know this girl?
do you know this people?
do you know this ppl?
Is it your photo?
LOOK!
my new photos
with best wishes
a lot of fun.
Hello...Funny pic...hehehe
I've never seen this before. Look at that !
Look :)
Hello! You've got a postcard. To view this postcard, click on the attached file
have you seen this before?
Loool!! :-)
fun
fun pictures
hi! look at new photos
fun flash game!
fun flash!
game!
fun game!
Print money at home!
look at atach
Signature:
+++ Attachment: No Virus found +++ <signature of antivirus company>
The signature of the antivirus company is chosen from the following list:
Bitdefender AntiVirus - www.bitdefender.com F-Secure AntiVirus - www.f-secure.com Kaspersky AntiVirus - www.kaspersky.com MC-Afee AntiVirus - www.mcafee.com MessageLabs AntiVirus - www.messagelabs.com Norman AntiVirus - www.norman.com Norton AntiVirus - www.symantec.de Panda AntiVirus - www.pandasoftware.com
Attachment name:
2004042301.jpg .pif arc.cpl arc.exe arhive.zip black.gif .pif DCP_0002.JPG .pif document.jpg .pif flowers.jpg .pif foto.cpl foto.exe fotos.cpl fotos.exe fotos.zip images.zip julia038.jpg .pif marie_dancing.jpg .pif me_01.jpg .pif |
my_foto.cpl my_foto.exe my_photo.jpg .pif my_photos.cpl my_photos.exe my_photos.zip myfoto.cpl myfoto.exe myphotos.zip myphotos_arc.exe new_photos.cpl new_photos.exe new_photos.zip new_pic.zip newphotos.cpl newphotos.exe nude_.jpg .pif |
photo.jpg .pif photo_se.cpl photo_se.exe photo08.jpg .pif photoarchive.cpl photoarchive.exe photofile.cpl photofile.exe photos.exe.safe photos.selfextracting.exe photos.zip photos_arc.cpl photos_arc.exe pic.jpg .pif pic.zip sunny.jpg .pif with_flowers.jpg .pif |
The worm may utilise a double extension to disguise the attached file by presenting it as a benign JPEG file. In such cases, the attachment name will appear in the following way:
document.jpg .pif
Propagation via file-sharing networks.
The worm propagates via the Kazaa file-sharing network. When propagating, it uses file names chosen from the following list:
1.exe antibush.scr childporno.pif coolgame.zip .exe crazzygirls.scr dap53 crack.exe dap53.exe dap71.exe dvdplayer.exe eroticgirls2.0.exe fantasy.scr hello.pif icq2004-final.exe icqcrack.exe icqlite.exe icqpro2003b crack.exe icqpro2003b.exe iMeshV4 crack.exe iMeshV4.exe kmd.exe LimeWireWin.exe matrix.scr Morpheus.exe |
mult.exe myfack.pif mylove.pif mymusic.pif mynewphoto.zip .exe newvirus.exe nicegirlsshowv12.scr opera7.7.exe opera7.x crack.exe pinguin5.exe rulezzz.scr trillian 2.0 crack.exe trillian-v2.74h.exe tropicallagoonss.scr winamp5.exe winamp6.exe WinZip 9.0 crack.exe WinZip 9.0.exe wrar330 crack.exe wrar330.exe you the best.scr zlsSetup_45_538_001.exe |
In order to disguise its presence, the worm will change the size of the file being transmitted, by writing random rubbish to the end of the file.
Propagation via ICQ
The worm sends messages containing URLs by ICQ. These URLs point to sites which contain the worm's body. Messages are selected from the list below:
best game http://65.110.51.XXX/icon/game.exe ;-);-);-) fun game http://www.scionicmusic.com/XXX/game.exe :-):-):-) funn http://64.40.98.XXX/icon/game.exe :-):-):-) funy game http://www.scionicmusic.com/XXX/game.exe ;-);-);-) http://64.40.98.XXX//icon/game.exe :-):-) http://64.40.98.XXX/icon/game.exe funny :-);-) http://65.110.51.XXX/icon/game.exe ;-);-);-);-) http://65.110.51.XXX/icon/game.exe LOL!! ;-);-);-) http://www.XXX.unibo.it/claroline142/photo.exe i cried :-) http://www.XXX.unibo.it/claroline142/photo.exe lol :-):-) i now play in game http://www.scionicmusic.com/XXX/game.exe :-):-) my photos (archived)http://www.XXX.unibo.it/claroline142/photo.exe
Payload
In order to gain unrestricted access to the Internet, the worm registers itself in the FirewallPolicy; this means it has 'legal program' status. Once it has done this, it prevents any further changes being made to the system registry.
It then terminates the following processes:
_AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ADAWARE.EXE ADVXDWIN.EXE AGENTSVR.EXE AGENTW.EXE ALERTSVC.EXE ALEVIR.EXE ALOGSERV.EXE AMON9X.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ARR.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATUPDATER.EXE ATWATCH.EXE AU.EXE AUPDATE.EXE AUTODOWN.EXE AUTO-PROTECT.NAV80TRY.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVCONSOL.EXE AVE32.EXE AVGCC32.EXE AVGCTRL.EXE AVGNT.EXE AVGSERV.EXE AVGSERV9.EXE AVGUARD.EXE AVGW.EXE AVKPOP.EXE AVKSERV.EXE AVKSERVICE.EXE AVKWCTl9.EXE AVLTMAIN.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVSYNMGR.EXE AVWIN95.EXE AVWINNT.EXE AVWUPD.EXE AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE b055262c.dll backdoor.rbot.gen.exe backdoor.rbot.gen_(17).exe BACKWEB.EXE BARGAINS.EXE BD_PROFESSIONAL.EXE BEAGLE.EXE BELT.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BLSS.EXE BOOTCONF.EXE BOOTWARN.EXE BORG2.EXE BPC.EXE BRASIL.EXE BS120.EXE BUNDLE.EXE BVT.EXE CCAPP.EXE CCEVTMGR.EXE CCPXYSVC.EXE CDP.EXE CFD.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE Claw95.EXE CLAW95CF.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CLICK.EXE CMD32.EXE CMESYS.EXE CMGRDIAN.EXE CMON016.EXE CONNECTIONMONITOR.EXE CPD.EXE CPF9X206.EXE CPFNT206.EXE CTRL.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE d3dupdate.exe dailin.exe DATEMANAGER.EXE DCOMX.EXE DEFALERT.EXE DEFSCANGUI.EXE DEFWATCH.EXE DEPUTY.EXE DLLCACHE.EXE DLLREG.EXE DOORS.EXE DPF.EXE DPFSETUP.EXE DPPS2.EXE DRWATSON.EXE DRWEB32.EXE DRWEBUPW.EXE DSSAGENT.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE EFPEADM.EXE EMSW.EXE ENT.EXE ESAFE.EXE ESCANH95.EXE ESCANHNT.EXE ESCANV95.EXE ESPWATCH.EXE ETHEREAL.EXE ETRUSTCIPE.EXE EVPN.EXE EXANTIVIRUS-CNET.EXE EXE.AVXW.EXE EXPERT.EXE EXPLORE.EXE F-AGNT95.EXE F-AGOBOT.EXE FAMEH32.EXE FAST.EXE FCH32.EXE FIH32.EXE FINDVIRU.EXE FIREWALL.EXE FLOWPROTECTOR.EXE FNRB32.EXE FPROT.EXE F-PROT.EXE F-PROT95.EXE FP-WIN.EXE FP-WIN_TRIAL.EXE FRW.EXE FSAA.EXE FSAV.EXE FSAV32.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE FSGK32.EXE FSM32.EXE FSMA32.EXE FSMB32.EXE F-STOPW.EXE fvprotect.exe GATOR.EXE GBMENU.EXE GBPOLL.EXE GENERICS.EXE GfxAcc.exe GMT.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HBINST.EXE HBSRV.EXE HIJACKTHIS.EXE HOTACTIO.EXE HOTPATCH.EXE HTLOG.EXE HTPATCH.EXE HWPE.EXE hxdef.exe HXDL.EXE HXIUL.EXE IAMAPP.EXE IAMSERV.EXE IAMSTATS.EXE IAOIN.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSSUPPNT.EXE ICSUPP95.EXE ICSUPPNT.EXE IDLE.EXE IEDLL.EXE IEDRIVER.EXE IFACE.EXE IFW2000.EXE INETLNFO.EXE INFUS.EXE INFWIN.EXE INIT.EXE INTDEL.EXE INTREN.EXE IOMON98.EXE IPARMOR.EXE IRIS.EXE ISASS.EXE ISRV95.EXE ISTSVC.EXE JAMMER.EXE jammer2nd.exe JDBGMRG.EXE JEDI.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KAVPF.EXE KEENVALUE.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-WRP-421-EN-WIN.EXE KERNEL32.EXE KILLPROCESSSETUP161.EXE LAUNCHER.EXE LDNETMON.EXE LDPRO.EXE LDPROMENU.EXE LDSCAN.EXE LNETINFO.EXE LOADER.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LORDPE.EXE LSETUP.EXE LUALL.EXE LUAU.EXE LUCOMSERVER.EXE LUINIT.EXE LUSPT.EXE MAPISVC32.EXE MCAGENT.EXE MCMNHDLR.EXE MCSHIELD.EXE MCTOOL.EXE MCUPDATE.EXE MCVSRTE.EXE MCVSSHLD.EXE MD.EXE MFIN32.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGAVRTCL.EXE MGAVRTE.EXE MGHTML.EXE MGUI.EXE MINILOG.EXE MMOD.EXE MONITOR.EXE MOOLIVE.EXE MOSTAT.EXE MPFAGENT.EXE MPFSERVICE.EXE MPFTRAY.EXE MRFLUX.EXE MSAPP.EXE MSBB.EXE MSBLAST.EXE MSCACHE.EXE MSCCN32.EXE MSCMAN.EXE MSCONFIG.EXE MSDM.EXE MSDOS.EXE MSIEXEC16.EXE MSINFO32.EXE MSLAUGH.EXE MSMGT.EXE MSMSGRI32.EXE MSSMMC32.EXE msssss.exe MSSYS.EXE |
MSVXD.EXE MU0311AD.EXE MWATCH.EXE N32SCANW.EXE NAV.EXE NAVAP.NAVAPSVC.EXE NAVAPSVC.EXE NAVAPW32.EXE NAVDX.EXE NAVENGNAVEX15.NAVLU32.EXE NAVLU32.EXE NAVNT.EXE NAVSTUB.EXE NAVW32.EXE NAVWNT.EXE NC2000.EXE NCINST4.EXE NDD32.EXE NEOMONITOR.EXE NEOWATCHLOG.EXE NETARMOR.EXE NETD32.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETUTILS.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE NOD32.EXE NORMIST.EXE NORTON_INTERNET_SECU_3.0_407.EXE NOTSTART.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NPSCHECK.EXE NPSSVC.EXE NSCHED32.EXE NSSYS32.EXE NSTASK32.EXE NSUPDATE.EXE NT.EXE NTRTSCAN.EXE NTXconfig.EXE NUI.EXE NUPGRADE.EXE NVARCH16.EXE NVC95.EXE NWINST4.EXE NWSERVICE.EXE NWTOOL16.EXE OLLYDBG.EXE ONSRVR.EXE OPTIMIZE.EXE OSTRONET.EXE OTFIX.EXE OUTPOST.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PATCH.EXE PAVCL.EXE PAVPROXY.EXE PAVSCHED.EXE PAVW.EXE PCC2002S902.EXE PCC2K_76_1436.EXE PCCIOMON.EXE PCCNTMON.EXE PCCWIN97.EXE PCCWIN98.EXE PCDSETUP.EXE PCFWALLICON.EXE PCIP10117_0.EXE PCSCAN.EXE PDSETUP.EXE PENIS.EXE PERISCOPE.EXE PERSFW.EXE PERSWF.EXE PF2.EXE PFWADMIN.EXE PGMONITR.EXE PINGSCAN.EXE PLATIN.EXE POP3TRAP.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PORTMONITOR.EXE POWERSCAN.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PRIZESURFER.EXE PRMT.EXE PRMVR.EXE PROCDUMP.EXE PROCESSMONITOR.EXE PROCEXPLORERV1.0.EXE PROGRAMAUDITOR.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE PURGE.EXE PUSSY.EXE PVIEW95.EXE QCONSOLE.EXE QSERVER.EXE RAPAPP.EXE rasmngr.exe RAV7.EXE RAV7WIN.EXE RAV8WIN32ENG.EXE RAVMOND.exe RAY.EXE RB.EXE RB32.EXE RCSYNC.EXE REALMON.EXE REGED.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCAN.EXE RTVSCN95.EXE RULAUNCH.EXE RUNDLL.EXE RUNDLL16.EXE RUXDLL32.EXE SAFEWEB.EXE SAHAGENT.EXE SAVE.EXE SAVENOW.EXE SBSERV.EXE SC.EXE SCAM32.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SCRSVR.EXE SD.EXE SERV95.EXE SERVLCE.EXE SERVLCES.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SHOWBEHIND.EXE SMC.EXE SMS.EXE SMSS32.EXE SOAP.EXE SOFI.EXE SPERM.EXE SPF.EXE SPHINX.EXE SPOOLCV.EXE SPOOLSV32.EXE SPYXX.EXE SREXE.EXE SRNG.EXE SS3EDIT.EXE SSG_4104.EXE SSGRATE.EXE ssgrate.exe ST2.EXE START.EXE STCLOADER.EXE SUPFTRL.EXE SUPPORT.EXE SUPPORTER5.EXE SVC.EXE SVCHOSTC.EXE SWEEP95.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SYMPROXYSVC.EXE SYMTRAY.EXE SYSEDIT.EXE SYSTEM.EXE SYSTEM32.EXE Systra.exe SYSUPD.EXE sysxp.exe taskmanagr.exe TASKMO.EXE TASKMON.EXE TAUMON.EXE TBSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS2-98.EXE TDS2-NT.EXE TDS-3.EXE TEEKIDS.EXE TFAK.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRICKLER.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE TSADBOT.EXE TVMD.EXE TVTMD.EXE UNDOBOOT.EXE UPDAT.EXE UPDATE.EXE UPGRAD.EXE UTPOST.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VET32.EXE VET95.EXE VETTRAY.EXE VFSETUP.EXE VIR-HELP.EXE VIRUSMDPERSONALFIREWALL.EXE VisualGuard.exe VNLAN300.EXE VNPC3000.EXE VPC32.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCAN40.EXE VSCENU6.02D30.EXE VSCHED.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBDAV.EXE WEBSCANX.EXE WEBTRAP.EXE WFINDV32.EXE WGFE95.EXE WHOSWATCHINGME.EXE WIMMUN32.EXE WIN32.EXE WIN32US.EXE WINACTIVE.EXE WIN-BUGSFIX.EXE WINDOW.EXE WINDOWS.EXE WININETD.EXE WININIT.EXE WININITX.EXE WINLOGIN.EXE WINMAIN.EXE WINPPR32.EXE WINRECON.EXE WINSSK32.EXE WINSTART.EXE WINSTART001.EXE WINTSK32.EXE WINUPDATE.EXE winxp.exe WKUFIND.EXE WNAD.EXE WNT.EXE wowpos32.exe WRADMIN.EXE WRCTRL.EXE wuamga.exe wuamgrd.exe WUPDATER.EXE WUPDT.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.EXE |
The worm will then delete all executable files connected with these processes, both antivirus files and other viruses which might interfere with Mydoom.y's functionality. The worm will alter the file named %System32%\drivers\etc\hosts in the Windows directory: this results in users being unable to access the sites of antivirus companies.
The worm then attempts to download a file containing Backdoor.Win32.Surila.k, a remote administration utility, from one of the following addresses (due to security reasons we've changed some symbols in them to 'xxx'):
http://www.masteratwork.com/xxx/wassup/00000008.cgi http://www.professionals-active.com/xxx/click.dat http://www.il-legno.it/xxx/postmsg.gif http://www.mercyships.de/xxx/content/guestbook/data/data2.dat http://www.llc.unibo.it/xxx/claroline/index.gif http://www.scionicmusic.com/xxx/cover_v3.jpg http://64.40.98.94/xxx/images/apache.gif
Once the file has been successfully downloaded, it will be saved to a directory chosen at random, under a name composed of a random number of digits. This file is then launched. A flag will also be created in the system registry, showing that the file has been successfully downloaded:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer] dflag22=1
The worm checks for the presence of this flag; if the value shown is equal to 1, then it will not download the file a second time.
Other
This worm will cease to work when the local system date and time has passed 01.18.31 on 19th September 2004.
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Email-Worm.
Mydoom. y (Kaspersky Lab) - I-Worm.
Mydoom. y (Kaspersky Lab)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.