Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Mydoom.l
Email-Worm.Win32.Mydoom.l
| Detected | Aug 16 2004 11:50 GMT |
| Released | Aug 16 2004 11:50 GMT |
| Published | Oct 27 2004 15:11 GMT |
Technical Details
This worm spreads via the Internet as an attachment to infected messages, via file sharing networks and open network resources. The worm sends itself to email addresses harvested from infected machines. The worm also contains a backdoor function.
The worm itself is a Windows PE EXE file approximately 21 KB in size.
Installation
During installation the worm copies itself as "lsass.exe" to the Windows root directory, for example:
C:\WINDOWS\lsass.exe
The worm then registers this file in the system registry as a key to enable autorun:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] Traybar = %WinDir% \LSASS.EXE
This ensures that the worm will be launched each time the system is rebooted.
The worm searches the computer for folders where the name contains the following words:
download ftproot incoming Share
and copies itself several times to each folder found, under the following names:
Harry Potter ICQ 4 Lite index Kazaa Lite Winamp 5.0 (en) Winamp 5.0 (en) Crack WinRAR.v.3.2.and.key
The files will have one of the following extensions:
com exe scr ShareReactor.com
Propagation
In order to find email addresses to send infected messages to, Mydoom.l searches for files with the following extensions:
doc htm html txt
and harvests email addresses found in these files. The worm uses the recipient's SMTP server to send email messages to all of the harvested addresses.
Infected messages
Sender's address
The sender's address is spoofed, using one of the email addresses harvested from the system.
Subject (chosen at random from the following list):
click me baby, one more time delivery failed Delivery reports about your e-mail error hello hi Mail System Error - Returned Mail Message could not be delivered report Returned mail: Data format error Returned mail: see transcript for details say helo to my litl friend status test
Message body (chosen at random from the following list):
The original message was included as attachment
This Message was undeliverable due to the following reason:
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.Your message was not delivered within [ ] days:
Host $i is not responding.The following recipients did not receive this message:
<[ ]>
Please reply to postmaster@[ ]
if you feel this message to be in error.The original message was received at [ ]
from [ ]
----- The following addresses had permanent fatal errors -----
<[ ]>
----- Transcript of session follows -----
while talking to [ ].:
>>> MAIL From:[ ]
<<< 501 [ ]... RefusedThe original message was received at $w
from [ ]
----- The following addresses had permanent fatal errors -----
<[ ]>
Attachment name (chosen at random from the list below):
<blank> attachment document file letter mail message readme text transcript
with one of the following extensions:
bat cmd com exe pif scr zip
Remote Administration
The backdoor in Mydoom.l opens and then monitors TCP port 1042 in order to receive remote commands.
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Email-Worm.
Mydoom. l (Kaspersky Lab) - I-Worm.
Mydoom. l (Kaspersky Lab) - Virus:
W32/Mydoom. n@MM (McAfee) - W32/MyDoom-N (Sophos)
- Worm.
Mydoom. I (ClamAV) - W32/Mydoom.
DN. worm (Panda) - W32/Mydoom.
M@mm (FPROT) - Worm:
Win32/Mydoom. L@mm (MS(OneCare)) - Win32.
HLLM. MyDoom. 33808 (DrWeb) - Win32/Mydoom.
Q worm (Nod32) - Win32.
Mydoom. L@mm (BitDef7) - I-Worm.
Mydoom. CR (VirusBuster) - Win32:
Mydoom-L [Wrm] (AVAST) - Email-Worm.
Win32. Mydoom (Ikarus) - I-Worm/Mydoom.
N (AVG) - TR/Agent.
Blkhl. dam (AVIRA) - W32.
Mydoom. L@mm (NAV) - MyDoom.
I@mm (Norman) - Worm.
Mail. Win32. Mydoom. l (Rising) - Email-Worm.
Win32. Mydoom. l [AVP] (FSecure) - WORM_MYDOOM.
GEN (TrendMicro) - Trojan.
Malware (Sunbelt) - Trojan.
Win32. Generic!BT (Sunbelt) - I-Worm.
Mydoom. CR (VirusBusterBeta)
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.