Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


MyDoom.AB


Aliases:


MyDoom.AB
.Mydoom.y, W32/Mydoom.AB@mm

Malware
Email-Worm
W32

Summary

A new variant of MyDoom worm - Mydoom.AB, was found on September 16th, 2004. This worm variant is similar to previous variants. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The worm is a PE executable file 69632 bytes long packed with UPX file compressor. The unpacked file's size is over 180 KiB.


Installation to system

When run, the worm copies creates a mutex 'ertglddfgd', copies itself to Windows System Directory with a filename picked from:

smss.exe
 csrss.exe
 winlogon.exe
 services.exe

and sets a startup key for that file in System Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32System]
 

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

wab
 xls
 uin
 txt
 tbb
 stm
 sht
 php
 msg
 mht
 mbx
 jsp
 htm
 eml
 dht
 dbx
 cgi
 cfg
 asp
 

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

avp.
 syman
 icrosof
 panda
 sopho
 borlan
 inpris
 example
 mydomai
 nodomai
 ruslis
 icrosoft
 .gov
 gov.
 .mil
 @foo.
 @iana
 spam
 unix
 linux
 kasp
 antivi
 messagelabs
 support
 berkeley
 unix
 math
 mit.e
 gnu
 fsf.
 ibm.com
 google
 kernel
 linux
 fido
 usenet
 iana
 ietf
 rfc-ed
 sendmail
 arin.
 ripe.
 isi.e
 isc.o
 secur
 acketst
 pgp
 tanford.e
 utgers.ed
 mozilla
 icq.com
 admin
 icrosoft
 support
 ntivi
 unix
 bsd
 linux
 listserv
 certific
 google
 accoun
 abuse
 upport
 www
 root
 info
 samples
 postmaster
 rating
 root
 news
 webmaster
 noone
 noreply
 nobody
 nothing
 anyone
 someone
 rating
 site
 contact
 support
 somebody
 privacy
 service
 help
 submit
 feste
 gold-certs
 

The subject of infected e-mails is selected from the following variants:

Re[2]:fun pictures
 Re:fun pictures
 FW:fun pictures
 Re[2]:COOL!
 Re:COOL!
 FW:COOL!
 Re[2]:cool
 Re:cool
 FW:cool
 Re[2]:
 Re:
 FW:
 :))
 FW: Cool
 LOOK!
 new photos
 2 new photos
 hi, it's me
 it's me
 (no subject)
 that's me :-D
 my photos
 hello sweety :>
 remember me?..
 FW: jenna's photos :)
 FW: new photos
 FW: 2 new photos
 FW: hi, it's me
 FW: it's me
 FW: (no subject)
 FW: that's me :-D
 FW: my photos
 FW: hello sweety :>
 FW: hi
 FW: remember me?..
 

The body text of infected e-mails is selected from the following variants:

-----Original Message-----
 From: Jeny K.
 Sent: Monday, September 13, 2004 8:57 PM
 To: Morpheus
 check my new photos
 :))
 miss you, jeny k
 -----Original Message-----
 From: Jena K.
 Sent: Monday, September 13, 2004 5:23 AM
 To: friends
 Check Out Archive.. So.. What Do You Think... Am I Hot? :)
 Waining For Your Answer
 Jena Key
 -----Original Message-----
 From: jenny k.
 Sent: Monday, September 13, 2004 10:23 AM
 To: My Tiger (e-mail)
 new fotos(archived) you asked
 jenny k
 -----Original Message-----
 From: jenna k. (e-mail)
 Sent: Monday, September 13, 2004 11:38 AM
 To: Cat
 my new fotos archived ))
 kiss, jenna k
 -----Original Message-----
 From: Jeny
 Sent: Monday, September 13, 2004 8:57 PM
 To: Neo
 see the photos in attached archive
 :))
 kiss you, jeny
 -----Original Message-----
 From: Jena
 Sent: Monday, September 13, 2004 5:23 AM
 To: friend
 Photos in archive.. So.. Am I Hot? :)
 Waining For Your Answer
 Jena
 -----Original Message-----
 From: Jenna Knukles
 Sent: Monday, September 13, 2004 9:05 AM
 To: Friends Group
 in self-extracting archive my photos
 Jenna :)
 -----Original Message-----
 From: jenna (e-mail)
 Sent: Monday, September 13, 2004 11:38 AM
 To: ma kittie
 my photos archived ))
 kiss, jenna
  fun flash game!
  fun flash!
  game!
  fun game!
 Print money at home!
 look at atach
 -----Original Message-----
 From: Jeny K.
 Sent: Monday, September 13, 2004 8:57 PM
 To: Morpheus
 check out the new photos
 :))
 miss you, jeny k
 -----Original Message-----
 From: Jena K.
 Sent: Monday, September 13, 2004 5:23 AM
 To: friends
 So.. What Do You Think... Am I Hot? :)
 Waining For Your Answer
 Jena Key
 -----Original Message-----
 From: Jenna Knukles
 Sent: Monday, September 13, 2004 9:05 AM
 in archive my new fotos
 Jenna K :)
 -----Original Message-----
 From: jenny k.
 Sent: Monday, September 13, 2004 10:23 AM
 To: My Tiger (e-mail)
 new fotos you asked
 jenny k
 -----Original Message-----
 From: jenna k. (e-mail)
 Sent: Monday, September 13, 2004 11:38 AM
 To: Cat
 my new fotos zipped ))
 kiss, jenna k
 -----Original Message-----
 From: Jeny
 Sent: Monday, September 13, 2004 8:57 PM
 To: Neo
 see the photos
 :))
 kiss you, jeny
 -----Original Message-----
 From: Jena
 Sent: Monday, September 13, 2004 5:23 AM
 To: friend
 So.. Am I Hot? :)
 Waining For Your Answer
 Jena
 -----Original Message-----
 From: Jenna Knukles
 Sent: Monday, September 13, 2004 9:05 AM
 To: Friends Group
 in archive my photos
 Jenna :)
 -----Original Message-----
 From: jenny
 Sent: Monday, September 13, 2004 10:23 AM
 To: Mr.X (e-mail)
 photos you asked
 jenny
 -----Original Message-----
 From: jenna (e-mail)
 Sent: Monday, September 13, 2004 11:38 AM
 To: ma kittie
 my photos zipped ))
 kiss, jenna
 

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

myfoto.exe
 photos.selfextracting.exe
 photoarchive.exe
 photofile.exe
 arc.exe
 my_foto.exe
 fotos.exe
 foto.exe
 photos.exe.safe
 photo_se.exe
 new_photos.exe
 newphotos.exe
 myphotos_arc.exe
 my_photos.exe
 photos_arc.exe
 myfoto.cpl
 photoarchive.cpl
 photofile.cpl
 arc.cpl
 my_foto.cpl
 fotos.cpl
 foto.cpl
 photo_se.cpl
 new_photos.cpl
 newphotos.cpl
 my_photos.cpl
 photos_arc.cpl
 arhive.zip
 new_pic.zip
 pic.zip
 new_photos.zip
 images.zip
 fotos.zip
 my_photos.zip
 myphotos.zip
 photos.zip
 my_photo.jpg .pif
 flowers.jpg  .pif
 document.jpg .pif
 pic.jpg      .pif
 photo.jpg    .pif
 black.gif    .pif
 DCP_0002.JPG .pif
 me_01.jpg    .pif
 2004042301.jpg           .pif
 with_flowers.jpg         .pif
 sunny.jpg    .pif
 photo08.jpg  .pif
 nude_.jpg    .pif
 marie_dancing.jpg        .pif
 julia038.jpg .pif
 1.exe
 mymusic.pif
 rulezzz.scr
 matrix.scr
 newvirus.exe
 mylove.pif
 antibush.scr
 icqcrack.exe
 myfack.pif
 hello.pif
 pinguin5.exe
 you the best.scr
 fantasy.scr
 coolgame.zip [mutiple spaces] .exe
 mynewphoto.zip [mutiple spaces] .exe
 mult.exe
 

Also the worm can attach a fake virus scan report to its message:

+++ Attachment: No Virus found
 +++ <av_string>
 

where "&lt;av_string&gt;" can be any of the following:

Norton AntiVirus - www.symantec.de
 F-Secure AntiVirus - www.f-secure.com
 Norman AntiVirus - www.norman.com
 Panda AntiVirus - www.pandasoftware.com
 Kaspersky AntiVirus - www.kaspersky.com
 MC-Afee AntiVirus - www.mcafee.com
 Bitdefender AntiVirus - www.bitdefender.com
 MessageLabs AntiVirus - www.messagelabs.com
 

It uses the following list of domain names to compose the fake address:

@ziplink.net
 @yahoo.com
 @wwc.com
 @worldshare.net
 @worldcom.com
 @wanadoo.com
 @verizon.net
 @ultimanet.com
 @toad.net
 @tiscali.com
 @t-online.de
 @t-online.com
 @surfree.com
 @ricochet.com
 @rcn.com
 @pics.com
 @peoplepc.com
 @pathlink.com
 @palm.net
 @pacific.net.sg
 @netzero.net
 @netrox.net
 @netcenter.com
 @nccw.net
 @msn.com
 @madriver.com
 @macconnect.com
 @loa.com
 @juno.com
 @istep.com
 @ispwest.com
 @isp.com
 @iquest.net
 @infoave.net
 @inext.fr
 @ieway.com
 @hiwaay.net
 @highstream.net
 @globetrotter.net
 @globalbiz.net
 @gbronline.com
 @flex.com
 @fcc.net
 @fast.net
 @excite.com
 @ev1.net
 @eisa.com
 @eclipse.net
 @earthlink.net
 @dialupnet.com
 @cybernex.net
 @cox.net
 @core.com
 @compuserve.com
 @chello.com
 @ccpc.net
 @ccp.com
 @cayuse.net
 @canada.com
 @cais.com
 @cableone.net
 @att.net
 @aristotle.net
 @arczip.com
 @apci.net
 @aol.com
 @ameralinx.net
 @address.com
 @accessus.net
 @a1isp.net
 @1access.net
 @yahoo.co.uk
 @gmx.net
 @hotmail.com
 @mail.com
 @dailymail.co.uk
 

Disabling security software

The worm will attempt to terminate any process found in the list below:

F-AGOBOT.EXE
 HIJACKTHIS.EXE
 _AVPM.EXE
 _AVPCC.EXE
 _AVP32.EXE
 ZONEALARM.EXE
 ZONALM2601.EXE
 ZATUTOR.EXE
 ZAPSETUP3001.EXE
 ZAPRO.EXE
 XPF202EN.EXE
 WYVERNWORKSFIREWALL.EXE
 WUPDT.EXE
 WUPDATER.EXE
 WRCTRL.EXE
 WRADMIN.EXE
 WNT.EXE
 WNAD.EXE
 WKUFIND.EXE
 WINUPDATE.EXE
 WINTSK32.EXE
 WINSTART001.EXE
 WINSTART.EXE
 WINSSK32.EXE
 WINRECON.EXE
 WINPPR32.EXE
 WINMAIN.EXE
 WINLOGIN.EXE
 WININITX.EXE
 WININIT.EXE
 WININETD.EXE
 WINDOWS.EXE
 WINDOW.EXE
 WINACTIVE.EXE
 WIN32US.EXE
 WIN32.EXE
 WIN-BUGSFIX.EXE
 WIMMUN32.EXE
 WHOSWATCHINGME.EXE
 WGFE95.EXE
 WFINDV32.EXE
 WEBTRAP.EXE
 WEBSCANX.EXE
 WEBDAV.EXE
 WATCHDOG.EXE
 W9X.EXE
 W32DSM89.EXE
 VSWINPERSE.EXE
 VSWINNTSE.EXE
 VSWIN9XE.EXE
 VSSTAT.EXE
 VSMON.EXE
 VSMAIN.EXE
 VSISETUP.EXE
 VSHWIN32.EXE
 VSECOMR.EXE
 VSCHED.EXE
 VSCENU6.02D30.EXE
 VSCAN40.EXE
 VPTRAY.EXE
 VPFW30S.EXE
 VPC42.EXE
 VPC32.EXE
 VNPC3000.EXE
 VNLAN300.EXE
 VIRUSMDPERSONALFIREWALL.EXE
 VIR-HELP.EXE
 VFSETUP.EXE
 VETTRAY.EXE
 VET95.EXE
 VET32.EXE
 VCSETUP.EXE
 VBWINNTW.EXE
 VBWIN9X.EXE
 VBUST.EXE
 VBCONS.EXE
 VBCMSERV.EXE
 UTPOST.EXE
 UPGRAD.EXE
 UPDAT.EXE
 UNDOBOOT.EXE
 TVTMD.EXE
 TVMD.EXE
 TSADBOT.EXE
 TROJANTRAP3.EXE
 TRJSETUP.EXE
 TRJSCAN.EXE
 TRICKLER.EXE
 TRACERT.EXE
 TITANINXP.EXE
 TITANIN.EXE
 TGBOB.EXE
 TFAK5.EXE
 TFAK.EXE
 TEEKIDS.EXE
 TDS2-NT.EXE
 TDS2-98.EXE
 TDS-3.EXE
 TCM.EXE
 TCA.EXE
 TC.EXE
 TBSCAN.EXE
 TAUMON.EXE
 TASKMON.EXE
 TASKMO.EXE
 SYSUPD.EXE
 SYSTEM32.EXE
 SYSTEM.EXE
 SYSEDIT.EXE
 SYMTRAY.EXE
 SYMPROXYSVC.EXE
 SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
 SWEEP95.EXE
 SVCHOSTC.EXE
 SVC.EXE
 SUPPORTER5.EXE
 SUPPORT.EXE
 SUPFTRL.EXE
 STCLOADER.EXE
 START.EXE
 ST2.EXE
 SSG_4104.EXE
 SSGRATE.EXE
 SS3EDIT.EXE
 SRNG.EXE
 SREXE.EXE
 SPYXX.EXE
 SPOOLSV32.EXE
 SPOOLCV.EXE
 SPHINX.EXE
 SPF.EXE
 SPERM.EXE
 SOFI.EXE
 SOAP.EXE
 SMSS32.EXE
 SMS.EXE
 SMC.EXE
 SHOWBEHIND.EXE
 SHN.EXE
 SHELLSPYINSTALL.EXE
 SH.EXE
 SGSSFW32.EXE
 SFC.EXE
 SETUP_FLOWPROTECTOR_US.EXE
 SETUPVAMEEVAL.EXE
 SERVLCES.EXE
 SERVLCE.EXE
 SERV95.EXE
 SD.EXE
 SCRSVR.EXE
 SCRSCAN.EXE
 SCANPM.EXE
 SCAN95.EXE
 SCAN32.EXE
 SCAM32.EXE
 SC.EXE
 SBSERV.EXE
 SAVENOW.EXE
 SAVE.EXE
 SAHAGENT.EXE
 SAFEWEB.EXE
 RUXDLL32.EXE
 RUNDLL16.EXE
 RUNDLL.EXE
 RULAUNCH.EXE
 RTVSCN95.EXE
 RTVSCAN.EXE
 RSHELL.EXE
 RRGUARD.EXE
 RESCUE32.EXE
 RESCUE.EXE
 REGED.EXE
 REALMON.EXE
 RCSYNC.EXE
 RB32.EXE
 RAY.EXE
 RAV8WIN32ENG.EXE
 RAV7WIN.EXE
 RAV7.EXE
 RAPAPP.EXE
 QSERVER.EXE
 QCONSOLE.EXE
 PVIEW95.EXE
 PUSSY.EXE
 PURGE.EXE
 PSPF.EXE
 PROTECTX.EXE
 PROPORT.EXE
 PROGRAMAUDITOR.EXE
 PROCEXPLORERV1.0.EXE
 PROCESSMONITOR.EXE
 PROCDUMP.EXE
 PRMVR.EXE
 PRMT.EXE
 PRIZESURFER.EXE
 PPVSTOP.EXE
 PPTBC.EXE
 PPINUPDT.EXE
 POWERSCAN.EXE
 PORTMONITOR.EXE
 PORTDETECTIVE.EXE
 POPSCAN.EXE
 POPROXY.EXE
 POP3TRAP.EXE
 PLATIN.EXE
 PINGSCAN.EXE
 PGMONITR.EXE
 PFWADMIN.EXE
 PF2.EXE
 PERSWF.EXE
 PERSFW.EXE
 PERISCOPE.EXE
 PENIS.EXE
 PDSETUP.EXE
 PCSCAN.EXE
 PCIP10117_0.EXE
 PCFWALLICON.EXE
 PCDSETUP.EXE
 PCCWIN98.EXE
 PCCWIN97.EXE
 PCCNTMON.EXE
 PCCIOMON.EXE
 PCC2K_76_1436.EXE
 PCC2002S902.EXE
 PAVW.EXE
 PAVSCHED.EXE
 PAVPROXY.EXE
 PAVCL.EXE
 PATCH.EXE
 PANIXK.EXE
 PADMIN.EXE
 OUTPOSTPROINSTALL.EXE
 OUTPOSTINSTALL.EXE
 OTFIX.EXE
 OSTRONET.EXE
 OPTIMIZE.EXE
 ONSRVR.EXE
 OLLYDBG.EXE
 NWTOOL16.EXE
 NWSERVICE.EXE
 NWINST4.EXE
 NVC95.EXE
 NVARCH16.EXE
 NUI.EXE
 NTXconfig.EXE
 NTRTSCAN.EXE
 NT.EXE
 NSUPDATE.EXE
 NSTASK32.EXE
 NSSYS32.EXE
 NSCHED32.EXE
 NPSSVC.EXE
 NPSCHECK.EXE
 NPROTECT.EXE
 NPFMESSENGER.EXE
 NPF40_TW_98_NT_ME_2K.EXE
 NOTSTART.EXE
 NORTON_INTERNET_SECU_3.0_407.EXE
 NORMIST.EXE
 NOD32.EXE
 NMAIN.EXE
 NISUM.EXE
 NISSERV.EXE
 NETUTILS.EXE
 NETSPYHUNTER-1.2.EXE
 NETSCANPRO.EXE
 NETMON.EXE
 NETINFO.EXE
 NETD32.EXE
 NETARMOR.EXE
 NEOWATCHLOG.EXE
 NEOMONITOR.EXE
 NDD32.EXE
 NCINST4.EXE
 NC2000.EXE
 NAVWNT.EXE
 NAVW32.EXE
 NAVSTUB.EXE
 NAVNT.EXE
 NAVLU32.EXE
 NAVENGNAVEX15.NAVLU32.EXE
 NAVDX.EXE
 NAVAPW32.EXE
 NAVAPSVC.EXE
 NAVAP.NAVAPSVC.EXE
 AUTO-PROTECT.NAV80TRY.EXE
 NAV.EXE
 N32SCANW.EXE
 MWATCH.EXE
 MU0311AD.EXE
 MSVXD.EXE
 MSSYS.EXE
 MSSMMC32.EXE
 MSMSGRI32.EXE
 MSMGT.EXE
 MSLAUGH.EXE
 MSINFO32.EXE
 MSIEXEC16.EXE
 MSDOS.EXE
 MSDM.EXE
 MSCONFIG.EXE
 MSCMAN.EXE
 MSCCN32.EXE
 MSCACHE.EXE
 MSBLAST.EXE
 MSBB.EXE
 MSAPP.EXE
 MRFLUX.EXE
 MPFTRAY.EXE
 MPFSERVICE.EXE
 MPFAGENT.EXE
 MOSTAT.EXE
 MOOLIVE.EXE
 MONITOR.EXE
 MMOD.EXE
 MINILOG.EXE
 MGUI.EXE
 MGHTML.EXE
 MGAVRTE.EXE
 MGAVRTCL.EXE
 MFWENG3.02D30.EXE
 MFW2EN.EXE
 MFIN32.EXE
 MD.EXE
 MCVSSHLD.EXE
 MCVSRTE.EXE
 MCTOOL.EXE
 MCSHIELD.EXE
 MCMNHDLR.EXE
 MCAGENT.EXE
 MAPISVC32.EXE
 LUSPT.EXE
 LUINIT.EXE
 LUCOMSERVER.EXE
 LUAU.EXE
 LSETUP.EXE
 LORDPE.EXE
 LOOKOUT.EXE
 LOCKDOWN2000.EXE
 LOCKDOWN.EXE
 LOCALNET.EXE
 LOADER.EXE
 LNETINFO.EXE
 LDSCAN.EXE
 LDPROMENU.EXE
 LDPRO.EXE
 LDNETMON.EXE
 LAUNCHER.EXE
 KILLPROCESSSETUP161.EXE
 KERNEL32.EXE
 KERIO-WRP-421-EN-WIN.EXE
 KERIO-WRL-421-EN-WIN.EXE
 KERIO-PF-213-EN-WIN.EXE
 KEENVALUE.EXE
 KAVPF.EXE
 KAVPERS40ENG.EXE
 KAVLITE40ENG.EXE
 JEDI.EXE
 JDBGMRG.EXE
 JAMMER.EXE
 ISTSVC.EXE
 ISRV95.EXE
 ISASS.EXE
 IRIS.EXE
 IPARMOR.EXE
 IOMON98.EXE
 INTREN.EXE
 INTDEL.EXE
 INIT.EXE
 INFWIN.EXE
 INFUS.EXE
 INETLNFO.EXE
 IFW2000.EXE
 IFACE.EXE
 IEDRIVER.EXE
 IEDLL.EXE
 IDLE.EXE
 ICSUPPNT.EXE
 ICMON.EXE
 ICLOADNT.EXE
 ICLOAD95.EXE
 IBMAVSP.EXE
 IBMASN.EXE
 IAMSTATS.EXE
 IAMSERV.EXE
 IAMAPP.EXE
 HXIUL.EXE
 HXDL.EXE
 HWPE.EXE
 HTPATCH.EXE
 HTLOG.EXE
 HOTPATCH.EXE
 HOTACTIO.EXE
 HBSRV.EXE
 HBINST.EXE
 HACKTRACERSETUP.EXE
 GUARDDOG.EXE
 GUARD.EXE
 GMT.EXE
 GENERICS.EXE
 GBPOLL.EXE
 GBMENU.EXE
 GATOR.EXE
 FSMB32.EXE
 FSMA32.EXE
 FSM32.EXE
 FSGK32.EXE
 FSAV95.EXE
 FSAV530WTBYB.EXE
 FSAV530STBYB.EXE
 FSAV32.EXE
 FSAV.EXE
 FSAA.EXE
 FRW.EXE
 FPROT.EXE
 FP-WIN_TRIAL.EXE
 FP-WIN.EXE
 FNRB32.EXE
 FLOWPROTECTOR.EXE
 FIREWALL.EXE
 FINDVIRU.EXE
 FIH32.EXE
 FCH32.EXE
 FAST.EXE
 FAMEH32.EXE
 F-STOPW.EXE
 F-PROT95.EXE
 F-PROT.EXE
 F-AGNT95.EXE
 EXPLORE.EXE
 EXPERT.EXE
 EXE.AVXW.EXE
 EXANTIVIRUS-CNET.EXE
 EVPN.EXE
 ETRUSTCIPE.EXE
 ETHEREAL.EXE
 ESPWATCH.EXE
 ESCANV95.EXE
 ESCANHNT.EXE
 ESCANH95.EXE
 ESAFE.EXE
 ENT.EXE
 EMSW.EXE
 EFPEADM.EXE
 ECENGINE.EXE
 DVP95_0.EXE
 DVP95.EXE
 DSSAGENT.EXE
 DRWEB32.EXE
 DRWATSON.EXE
 DPPS2.EXE
 DPFSETUP.EXE
 DPF.EXE
 DOORS.EXE
 DLLREG.EXE
 DLLCACHE.EXE
 DEPUTY.EXE
 DEFWATCH.EXE
 DEFSCANGUI.EXE
 DEFALERT.EXE
 DCOMX.EXE
 DATEMANAGER.EXE
 Claw95.EXE
 CWNTDWMO.EXE
 CWNB181.EXE
 CV.EXE
 CTRL.EXE
 CPFNT206.EXE
 CPF9X206.EXE
 CPD.EXE
 CONNECTIONMONITOR.EXE
 CMON016.EXE
 CMGRDIAN.EXE
 CMESYS.EXE
 CMD32.EXE
 CLICK.EXE
 CLEANPC.EXE
 CLEANER3.EXE
 CLEANER.EXE
 CLEAN.EXE
 CLAW95CF.EXE
 CFINET32.EXE
 CFINET.EXE
 CFIADMIN.EXE
 CFGWIZ.EXE
 CFD.EXE
 CDP.EXE
 CCPXYSVC.EXE
 CCEVTMGR.EXE
 CCAPP.EXE
 BVT.EXE
 BUNDLE.EXE
 BS120.EXE
 BRASIL.EXE
 BPC.EXE
 BORG2.EXE
 BOOTWARN.EXE
 BOOTCONF.EXE
 BLSS.EXE
 BLACKICE.EXE
 BLACKD.EXE
 BISP.EXE
 BIPCPEVALSETUP.EXE
 BIPCP.EXE
 BIDSERVER.EXE
 BIDEF.EXE
 BELT.EXE
 BD_PROFESSIONAL.EXE
 BARGAINS.EXE
 BACKWEB.EXE
 AVXMONITORNT.EXE
 AVXMONITOR9X.EXE
 AVWUPSRV.EXE
 AVWUPD.EXE
 AVWINNT.EXE
 AVWIN95.EXE
 AVSYNMGR.EXE
 AVSCHED32.EXE
 AVPTC32.EXE
 AVPM.EXE
 AVPDOS32.EXE
 AVPCC.EXE
 AVP32.EXE
 AVP.EXE
 AVNT.EXE
 AVLTMAIN.EXE
 AVKWCTl9.EXE
 AVKSERVICE.EXE
 AVKSERV.EXE
 AVKPOP.EXE
 AVGW.EXE
 AVGUARD.EXE
 AVGSERV9.EXE
 AVGSERV.EXE
 AVGNT.EXE
 AVGCTRL.EXE
 AVGCC32.EXE
 AVE32.EXE
 AVCONSOL.EXE
 AU.EXE
 ATWATCH.EXE
 ATRO55EN.EXE
 ATGUARD.EXE
 ATCON.EXE
 ARR.EXE
 APVXDWIN.EXE
 APLICA32.EXE
 APIMONITOR.EXE
 ANTS.EXE
 ANTIVIRUS.EXE
 ANTI-TROJAN.EXE
 AMON9X.EXE
 ALOGSERV.EXE
 ALEVIR.EXE
 ALERTSVC.EXE
 AGENTW.EXE
 AGENTSVR.EXE
 ADVXDWIN.EXE
 ADAWARE.EXE
 ACKWIN32.EXE
 BEAGLE.EXE
 d3dupdate.exe
 sysxp.exe
 winxp.exe
 ssgrate.exe
 jammer2nd.exe
 fvprotect.exe
 hxdef.exe
 VisualGuard.exe
 GfxAcc.exe
 RAVMOND.exe
 Systra.exe
 MCUPDATE.EXE
 CFIAUDIT.EXE
 AVXQUAR.EXE
 AUTOUPDATE.EXE
 AUTOTRACE.EXE
 AUTODOWN.EXE
 AUPDATE.EXE
 NUPGRADE.EXE
 UPDATE.EXE
 ICSUPP95.EXE
 ICSSUPPNT.EXE
 DRWEBUPW.EXE
 LUALL.EXE
 AVPUPD.EXE
 AVWUPD32.EXE
 ATUPDATER.EXE
 wuamga.exe
 taskmanagr.exe
 wuamgrd.exe
 wowpos32.exe
 dailin.exe
 rasmngr.exe
 msssss.exe
 backdoor.rbot.gen_(17).exe
 backdoor.rbot.gen.exe
 b055262c.dll
 RB.EXE
 IAOIN.EXE
 OUTPOST.EXE
 

ICQ Spreading

It will send messages through ICQ with messages chosen from the following list:

funn http://[domain removed]/icon/game.exe :-):-):-)
 http://[domain removed]/icon/game.exe :-):-)
 http://[domain removed]/icon/game.exe funny :-);-)
 http://[domain removed]/icon/game.exe ;-);-);-);-)
 best game http://[domain removed]/icon/game.exe ;-);-);-)
 http://[domain removed]/icon/game.exe LOL!! ;-);-);-)
 http://[domain removed]/claroline142/photo.exe i cried :-)
 http://[domain removed]/claroline142/photo.exe lol :-):-)
 my photos (archived) http://[domain removed]/claroline142/photo.exe
 i now play in game http://[domain removed]/ajr/game.exe :-):-)
 funy game http://[domain removed]/ajr/game.exe ;-);-);-)
 fun game http://[domain removed]/ajr/game.exe :-):-):-)
 

P2P Spreading

If the worm can locate the Kazaa shared folder, it will copy itself with names picked from:

dap53 crack.exe
 iMeshV4 crack.exe
 icqpro2003b crack.exe
 wrar330 crack.exe
 WinZip 9.0 crack.exe
 dap71.exe
 trillian-v2.74h.exe
 wrar330.exe
 LimeWireWin.exe
 Morpheus.exe
 zlsSetup_45_538_001.exe
 icqpro2003b.exe
 iMeshV4.exe
 WinZip 9.0.exe
 icqlite.exe
 kmd.exe
 trillian 2.0 crack.exe
 dap53.exe
 dvdplayer.exe
 opera7.x crack.exe
 crazzygirls.scr
 childporno.pif
 opera7.7.exe
 winamp6.exe
 eroticgirls2.0.exe
 tropicallagoonss.scr
 nicegirlsshowv12.scr
 icq2004-final.exe
 winamp5.exe
 

Network spreading

This variant of the Mydoom worm uses the LSASS vulnerability to infect other hosts.


Downloading a backdoor

The worm downloads a backdoor from one of websites and activates it.

www.masteratwork.com
 www.professionals-active.com
 www.il-legno.it
 www.mercyships.de
 www.llc.unibo.it
 www.scionicmusic.com
 64.40.98.94



Detection

This worm variant is detected as 'I-Worm.Mydoom.y' since the following FSAV updates:

Detection Type: PC
Database: 2004-09-15_01



Technical Details: Alexey Podrezov &amp; Ero Carrera; September 16th, 2004



Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Disinfect your PC




F-Secure Anti-Virus will disinfect your PC and remove all harmful files