Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Mydoom.ab
Email-Worm.Win32.Mydoom.ab
| Detected | Oct 27 2004 07:24 GMT |
| Released | Oct 27 2004 07:24 GMT |
| Published | Oct 27 2004 10:57 GMT |
Technical Details
Mydoom.ab is another Mydoom.a variant. It spreads as an attachment in an infected email. The worm send copies of itself to all addresses in the local address book.
Mydoom.ab is a Windows PE EXE file and is about 32 KB - packed by UPX.
Installation
Upon installation Mydoom.ab creates a file named lsasrv.exe in the Windows system registry and creates the following registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lsass"="%System%\lsasrv.exe"
The worm also creates a file named version.ini in the Windows system folder.
Other
Mydoom.ab attempts to block the work of a number of firewalls.
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Email-Worm.
Mydoom. ab (Kaspersky Lab) - I-Worm.
Mydoom. ab (Kaspersky Lab) - Virus:
W32/Mydoom. af@MM (McAfee) - W32/MyDoom-AG (Sophos)
- Worm.
Mydoom. Gen-unp (ClamAV) - W32/Swash.
A. worm (Panda) - W32/Mydoom.
AG@mm (FPROT) - Worm:
Win32/Swash. A@mm (MS(OneCare)) - Win32.
HLLM. MyDoom. 2 (DrWeb) - Win32/Swash.
A worm (Nod32) - Win32.
Swash. A@mm (BitDef7) - I-Worm.
Mydoom. AF (VirusBuster) - Win32:
Swash [Wrm] (AVAST) - Email-Worm.
Win32. Mydoom (Ikarus) - I-Worm/Swash.
A (AVG) - WORM/Mydoom.
AB (AVIRA) - W32.
Mydoom. AG@mm (NAV) - MyDoom.
AG@mm (Norman) - W32/Mydoom.
af@MM (NAI) - WORM_MYDOOM.
BS (PCCIL) - Worm.
NetSky. aj (Rising) - Email-Worm.
Win32. Mydoom. ab [AVP] (FSecure) - WORM_MYDOOM.
BS (TrendMicro) - Email-Worm.
Win32. Mydoom. gen (v) (Sunbelt) - I-Worm.
Mydoom. AF (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.