Skip to navigation
Skip to content
Skip to secondary-content

F-Secure

Tools

Navigation

Subnavigation

Labs

Where You Are

MyDoom.AB


NAME:	.Mydoom.y, W32/Mydoom.AB@mm
SIZE:	69632

Summary

A new variant of MyDoom worm - Mydoom.AB, was found on September 16th, 2004. This worm variant is similar to previous variants. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.

Additional Details

The worm is a PE executable file 69632 bytes long packed with UPX file compressor. The unpacked file's size is over 180 KiB. Installation to system When run, the worm copies creates a mutex 'ertglddfgd', copies itself to Windows System Directory with a filename picked from: smss.exe csrss.exe winlogon.exe services.exe

and sets a startup key for that file in System Registry: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32System]

Spreading in e-mails The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions: wab xls uin txt tbb stm sht php msg mht mbx jsp htm eml dht dbx cgi cfg asp

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings: avp. syman icrosof panda sopho borlan inpris example mydomai nodomai ruslis icrosoft .gov gov. .mil @foo. @iana spam unix linux kasp antivi messagelabs support berkeley unix math mit.e gnu fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst pgp tanford.e utgers.ed mozilla icq.com admin icrosoft support ntivi unix bsd linux listserv certific google accoun abuse upport www root info samples postmaster rating root news webmaster noone noreply nobody nothing anyone someone rating site contact support somebody privacy service help submit feste gold-certs

The subject of infected e-mails is selected from the following variants: Re[2]:fun pictures Re:fun pictures FW:fun pictures Re[2]:COOL! Re:COOL! FW:COOL! Re[2]:cool Re:cool FW:cool Re[2]: Re: FW: :)) FW: Cool LOOK! new photos 2 new photos hi, it's me it's me (no subject) that's me :-D my photos hello sweety :> remember me?.. FW: jenna's photos :) FW: new photos FW: 2 new photos FW: hi, it's me FW: it's me FW: (no subject) FW: that's me :-D FW: my photos FW: hello sweety :> FW: hi FW: remember me?..

The body text of infected e-mails is selected from the following variants: -----Original Message----- From: Jeny K. Sent: Monday, September 13, 2004 8:57 PM To: Morpheus check my new photos :)) miss you, jeny k -----Original Message----- From: Jena K. Sent: Monday, September 13, 2004 5:23 AM To: friends Check Out Archive.. So.. What Do You Think... Am I Hot? :) Waining For Your Answer Jena Key -----Original Message----- From: jenny k. Sent: Monday, September 13, 2004 10:23 AM To: My Tiger (e-mail) new fotos(archived) you asked jenny k -----Original Message----- From: jenna k. (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: Cat my new fotos archived )) kiss, jenna k -----Original Message----- From: Jeny Sent: Monday, September 13, 2004 8:57 PM To: Neo see the photos in attached archive :)) kiss you, jeny -----Original Message----- From: Jena Sent: Monday, September 13, 2004 5:23 AM To: friend Photos in archive.. So.. Am I Hot? :) Waining For Your Answer Jena -----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM To: Friends Group in self-extracting archive my photos Jenna :) -----Original Message----- From: jenna (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: ma kittie my photos archived )) kiss, jenna fun flash game! fun flash! game! fun game! Print money at home! look at atach -----Original Message----- From: Jeny K. Sent: Monday, September 13, 2004 8:57 PM To: Morpheus check out the new photos :)) miss you, jeny k -----Original Message----- From: Jena K. Sent: Monday, September 13, 2004 5:23 AM To: friends So.. What Do You Think... Am I Hot? :) Waining For Your Answer Jena Key -----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM in archive my new fotos Jenna K :) -----Original Message----- From: jenny k. Sent: Monday, September 13, 2004 10:23 AM To: My Tiger (e-mail) new fotos you asked jenny k -----Original Message----- From: jenna k. (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: Cat my new fotos zipped )) kiss, jenna k -----Original Message----- From: Jeny Sent: Monday, September 13, 2004 8:57 PM To: Neo see the photos :)) kiss you, jeny -----Original Message----- From: Jena Sent: Monday, September 13, 2004 5:23 AM To: friend So.. Am I Hot? :) Waining For Your Answer Jena -----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM To: Friends Group in archive my photos Jenna :) -----Original Message----- From: jenny Sent: Monday, September 13, 2004 10:23 AM To: Mr.X (e-mail) photos you asked jenny -----Original Message----- From: jenna (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: ma kittie my photos zipped )) kiss, jenna

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names: myfoto.exe photos.selfextracting.exe photoarchive.exe photofile.exe arc.exe my_foto.exe fotos.exe foto.exe photos.exe.safe photo_se.exe new_photos.exe newphotos.exe myphotos_arc.exe my_photos.exe photos_arc.exe myfoto.cpl photoarchive.cpl photofile.cpl arc.cpl my_foto.cpl fotos.cpl foto.cpl photo_se.cpl new_photos.cpl newphotos.cpl my_photos.cpl photos_arc.cpl arhive.zip new_pic.zip pic.zip new_photos.zip images.zip fotos.zip my_photos.zip myphotos.zip photos.zip my_photo.jpg .pif flowers.jpg .pif document.jpg .pif pic.jpg .pif photo.jpg .pif black.gif .pif DCP_0002.JPG .pif me_01.jpg .pif 2004042301.jpg .pif with_flowers.jpg .pif sunny.jpg .pif photo08.jpg .pif nude_.jpg .pif marie_dancing.jpg .pif julia038.jpg .pif 1.exe mymusic.pif rulezzz.scr matrix.scr newvirus.exe mylove.pif antibush.scr icqcrack.exe myfack.pif hello.pif pinguin5.exe you the best.scr fantasy.scr coolgame.zip [mutiple spaces] .exe mynewphoto.zip [mutiple spaces] .exe mult.exe

Also the worm can attach a fake virus scan report to its message: +++ Attachment: No Virus found +++ <av_string> where "<av_string>" can be any of the following: Norton AntiVirus - www.symantec.de F-Secure AntiVirus - www.f-secure.com Norman AntiVirus - www.norman.com Panda AntiVirus - www.pandasoftware.com Kaspersky AntiVirus - www.kaspersky.com MC-Afee AntiVirus - www.mcafee.com Bitdefender AntiVirus - www.bitdefender.com MessageLabs AntiVirus - www.messagelabs.com It uses the following list of domain names to compose the fake address: @ziplink.net @yahoo.com @wwc.com @worldshare.net @worldcom.com @wanadoo.com @verizon.net @ultimanet.com @toad.net @tiscali.com @t-online.de @t-online.com @surfree.com @ricochet.com @rcn.com @pics.com @peoplepc.com @pathlink.com @palm.net @pacific.net.sg @netzero.net @netrox.net @netcenter.com @nccw.net @msn.com @madriver.com @macconnect.com @loa.com @juno.com @istep.com @ispwest.com @isp.com @iquest.net @infoave.net @inext.fr @ieway.com @hiwaay.net @highstream.net @globetrotter.net @globalbiz.net @gbronline.com @flex.com @fcc.net @fast.net @excite.com @ev1.net @eisa.com @eclipse.net @earthlink.net @dialupnet.com @cybernex.net @cox.net @core.com @compuserve.com @chello.com @ccpc.net @ccp.com @cayuse.net @canada.com @cais.com @cableone.net @att.net @aristotle.net @arczip.com @apci.net @aol.com @ameralinx.net @address.com @accessus.net @a1isp.net @1access.net @yahoo.co.uk @gmx.net @hotmail.com @mail.com @dailymail.co.uk Disabling security software The worm will attempt to terminate any process found in the list below: F-AGOBOT.EXE HIJACKTHIS.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE ZONEALARM.EXE ZONALM2601.EXE ZATUTOR.EXE ZAPSETUP3001.EXE ZAPRO.EXE XPF202EN.EXE WYVERNWORKSFIREWALL.EXE WUPDT.EXE WUPDATER.EXE WRCTRL.EXE WRADMIN.EXE WNT.EXE WNAD.EXE WKUFIND.EXE WINUPDATE.EXE WINTSK32.EXE WINSTART001.EXE WINSTART.EXE WINSSK32.EXE WINRECON.EXE WINPPR32.EXE WINMAIN.EXE WINLOGIN.EXE WININITX.EXE WININIT.EXE WININETD.EXE WINDOWS.EXE WINDOW.EXE WINACTIVE.EXE WIN32US.EXE WIN32.EXE WIN-BUGSFIX.EXE WIMMUN32.EXE WHOSWATCHINGME.EXE WGFE95.EXE WFINDV32.EXE WEBTRAP.EXE WEBSCANX.EXE WEBDAV.EXE WATCHDOG.EXE W9X.EXE W32DSM89.EXE VSWINPERSE.EXE VSWINNTSE.EXE VSWIN9XE.EXE VSSTAT.EXE VSMON.EXE VSMAIN.EXE VSISETUP.EXE VSHWIN32.EXE VSECOMR.EXE VSCHED.EXE VSCENU6.02D30.EXE VSCAN40.EXE VPTRAY.EXE VPFW30S.EXE VPC42.EXE VPC32.EXE VNPC3000.EXE VNLAN300.EXE VIRUSMDPERSONALFIREWALL.EXE VIR-HELP.EXE VFSETUP.EXE VETTRAY.EXE VET95.EXE VET32.EXE VCSETUP.EXE VBWINNTW.EXE VBWIN9X.EXE VBUST.EXE VBCONS.EXE VBCMSERV.EXE UTPOST.EXE UPGRAD.EXE UPDAT.EXE UNDOBOOT.EXE TVTMD.EXE TVMD.EXE TSADBOT.EXE TROJANTRAP3.EXE TRJSETUP.EXE TRJSCAN.EXE TRICKLER.EXE TRACERT.EXE TITANINXP.EXE TITANIN.EXE TGBOB.EXE TFAK5.EXE TFAK.EXE TEEKIDS.EXE TDS2-NT.EXE TDS2-98.EXE TDS-3.EXE TCM.EXE TCA.EXE TC.EXE TBSCAN.EXE TAUMON.EXE TASKMON.EXE TASKMO.EXE SYSUPD.EXE SYSTEM32.EXE SYSTEM.EXE SYSEDIT.EXE SYMTRAY.EXE SYMPROXYSVC.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SWEEP95.EXE SVCHOSTC.EXE SVC.EXE SUPPORTER5.EXE SUPPORT.EXE SUPFTRL.EXE STCLOADER.EXE START.EXE ST2.EXE SSG_4104.EXE SSGRATE.EXE SS3EDIT.EXE SRNG.EXE SREXE.EXE SPYXX.EXE SPOOLSV32.EXE SPOOLCV.EXE SPHINX.EXE SPF.EXE SPERM.EXE SOFI.EXE SOAP.EXE SMSS32.EXE SMS.EXE SMC.EXE SHOWBEHIND.EXE SHN.EXE SHELLSPYINSTALL.EXE SH.EXE SGSSFW32.EXE SFC.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SERVLCES.EXE SERVLCE.EXE SERV95.EXE SD.EXE SCRSVR.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SCAM32.EXE SC.EXE SBSERV.EXE SAVENOW.EXE SAVE.EXE SAHAGENT.EXE SAFEWEB.EXE RUXDLL32.EXE RUNDLL16.EXE RUNDLL.EXE RULAUNCH.EXE RTVSCN95.EXE RTVSCAN.EXE RSHELL.EXE RRGUARD.EXE RESCUE32.EXE RESCUE.EXE REGED.EXE REALMON.EXE RCSYNC.EXE RB32.EXE RAY.EXE RAV8WIN32ENG.EXE RAV7WIN.EXE RAV7.EXE RAPAPP.EXE QSERVER.EXE QCONSOLE.EXE PVIEW95.EXE PUSSY.EXE PURGE.EXE PSPF.EXE PROTECTX.EXE PROPORT.EXE PROGRAMAUDITOR.EXE PROCEXPLORERV1.0.EXE PROCESSMONITOR.EXE PROCDUMP.EXE PRMVR.EXE PRMT.EXE PRIZESURFER.EXE PPVSTOP.EXE PPTBC.EXE PPINUPDT.EXE POWERSCAN.EXE PORTMONITOR.EXE PORTDETECTIVE.EXE POPSCAN.EXE POPROXY.EXE POP3TRAP.EXE PLATIN.EXE PINGSCAN.EXE PGMONITR.EXE PFWADMIN.EXE PF2.EXE PERSWF.EXE PERSFW.EXE PERISCOPE.EXE PENIS.EXE PDSETUP.EXE PCSCAN.EXE PCIP10117_0.EXE PCFWALLICON.EXE PCDSETUP.EXE PCCWIN98.EXE PCCWIN97.EXE PCCNTMON.EXE PCCIOMON.EXE PCC2K_76_1436.EXE PCC2002S902.EXE PAVW.EXE PAVSCHED.EXE PAVPROXY.EXE PAVCL.EXE PATCH.EXE PANIXK.EXE PADMIN.EXE OUTPOSTPROINSTALL.EXE OUTPOSTINSTALL.EXE OTFIX.EXE OSTRONET.EXE OPTIMIZE.EXE ONSRVR.EXE OLLYDBG.EXE NWTOOL16.EXE NWSERVICE.EXE NWINST4.EXE NVC95.EXE NVARCH16.EXE NUI.EXE NTXconfig.EXE NTRTSCAN.EXE NT.EXE NSUPDATE.EXE NSTASK32.EXE NSSYS32.EXE NSCHED32.EXE NPSSVC.EXE NPSCHECK.EXE NPROTECT.EXE NPFMESSENGER.EXE NPF40_TW_98_NT_ME_2K.EXE NOTSTART.EXE NORTON_INTERNET_SECU_3.0_407.EXE NORMIST.EXE NOD32.EXE NMAIN.EXE NISUM.EXE NISSERV.EXE NETUTILS.EXE NETSPYHUNTER-1.2.EXE NETSCANPRO.EXE NETMON.EXE NETINFO.EXE NETD32.EXE NETARMOR.EXE NEOWATCHLOG.EXE NEOMONITOR.EXE NDD32.EXE NCINST4.EXE NC2000.EXE NAVWNT.EXE NAVW32.EXE NAVSTUB.EXE NAVNT.EXE NAVLU32.EXE NAVENGNAVEX15.NAVLU32.EXE NAVDX.EXE NAVAPW32.EXE NAVAPSVC.EXE NAVAP.NAVAPSVC.EXE AUTO-PROTECT.NAV80TRY.EXE NAV.EXE N32SCANW.EXE MWATCH.EXE MU0311AD.EXE MSVXD.EXE MSSYS.EXE MSSMMC32.EXE MSMSGRI32.EXE MSMGT.EXE MSLAUGH.EXE MSINFO32.EXE MSIEXEC16.EXE MSDOS.EXE MSDM.EXE MSCONFIG.EXE MSCMAN.EXE MSCCN32.EXE MSCACHE.EXE MSBLAST.EXE MSBB.EXE MSAPP.EXE MRFLUX.EXE MPFTRAY.EXE MPFSERVICE.EXE MPFAGENT.EXE MOSTAT.EXE MOOLIVE.EXE MONITOR.EXE MMOD.EXE MINILOG.EXE MGUI.EXE MGHTML.EXE MGAVRTE.EXE MGAVRTCL.EXE MFWENG3.02D30.EXE MFW2EN.EXE MFIN32.EXE MD.EXE MCVSSHLD.EXE MCVSRTE.EXE MCTOOL.EXE MCSHIELD.EXE MCMNHDLR.EXE MCAGENT.EXE MAPISVC32.EXE LUSPT.EXE LUINIT.EXE LUCOMSERVER.EXE LUAU.EXE LSETUP.EXE LORDPE.EXE LOOKOUT.EXE LOCKDOWN2000.EXE LOCKDOWN.EXE LOCALNET.EXE LOADER.EXE LNETINFO.EXE LDSCAN.EXE LDPROMENU.EXE LDPRO.EXE LDNETMON.EXE LAUNCHER.EXE KILLPROCESSSETUP161.EXE KERNEL32.EXE KERIO-WRP-421-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-PF-213-EN-WIN.EXE KEENVALUE.EXE KAVPF.EXE KAVPERS40ENG.EXE KAVLITE40ENG.EXE JEDI.EXE JDBGMRG.EXE JAMMER.EXE ISTSVC.EXE ISRV95.EXE ISASS.EXE IRIS.EXE IPARMOR.EXE IOMON98.EXE INTREN.EXE INTDEL.EXE INIT.EXE INFWIN.EXE INFUS.EXE INETLNFO.EXE IFW2000.EXE IFACE.EXE IEDRIVER.EXE IEDLL.EXE IDLE.EXE ICSUPPNT.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSTATS.EXE IAMSERV.EXE IAMAPP.EXE HXIUL.EXE HXDL.EXE HWPE.EXE HTPATCH.EXE HTLOG.EXE HOTPATCH.EXE HOTACTIO.EXE HBSRV.EXE HBINST.EXE HACKTRACERSETUP.EXE GUARDDOG.EXE GUARD.EXE GMT.EXE GENERICS.EXE GBPOLL.EXE GBMENU.EXE GATOR.EXE FSMB32.EXE FSMA32.EXE FSM32.EXE FSGK32.EXE FSAV95.EXE FSAV530WTBYB.EXE FSAV530STBYB.EXE FSAV32.EXE FSAV.EXE FSAA.EXE FRW.EXE FPROT.EXE FP-WIN_TRIAL.EXE FP-WIN.EXE FNRB32.EXE FLOWPROTECTOR.EXE FIREWALL.EXE FINDVIRU.EXE FIH32.EXE FCH32.EXE FAST.EXE FAMEH32.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE EXPLORE.EXE EXPERT.EXE EXE.AVXW.EXE EXANTIVIRUS-CNET.EXE EVPN.EXE ETRUSTCIPE.EXE ETHEREAL.EXE ESPWATCH.EXE ESCANV95.EXE ESCANHNT.EXE ESCANH95.EXE ESAFE.EXE ENT.EXE EMSW.EXE EFPEADM.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE DSSAGENT.EXE DRWEB32.EXE DRWATSON.EXE DPPS2.EXE DPFSETUP.EXE DPF.EXE DOORS.EXE DLLREG.EXE DLLCACHE.EXE DEPUTY.EXE DEFWATCH.EXE DEFSCANGUI.EXE DEFALERT.EXE DCOMX.EXE DATEMANAGER.EXE Claw95.EXE CWNTDWMO.EXE CWNB181.EXE CV.EXE CTRL.EXE CPFNT206.EXE CPF9X206.EXE CPD.EXE CONNECTIONMONITOR.EXE CMON016.EXE CMGRDIAN.EXE CMESYS.EXE CMD32.EXE CLICK.EXE CLEANPC.EXE CLEANER3.EXE CLEANER.EXE CLEAN.EXE CLAW95CF.EXE CFINET32.EXE CFINET.EXE CFIADMIN.EXE CFGWIZ.EXE CFD.EXE CDP.EXE CCPXYSVC.EXE CCEVTMGR.EXE CCAPP.EXE BVT.EXE BUNDLE.EXE BS120.EXE BRASIL.EXE BPC.EXE BORG2.EXE BOOTWARN.EXE BOOTCONF.EXE BLSS.EXE BLACKICE.EXE BLACKD.EXE BISP.EXE BIPCPEVALSETUP.EXE BIPCP.EXE BIDSERVER.EXE BIDEF.EXE BELT.EXE BD_PROFESSIONAL.EXE BARGAINS.EXE BACKWEB.EXE AVXMONITORNT.EXE AVXMONITOR9X.EXE AVWUPSRV.EXE AVWUPD.EXE AVWINNT.EXE AVWIN95.EXE AVSYNMGR.EXE AVSCHED32.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVLTMAIN.EXE AVKWCTl9.EXE AVKSERVICE.EXE AVKSERV.EXE AVKPOP.EXE AVGW.EXE AVGUARD.EXE AVGSERV9.EXE AVGSERV.EXE AVGNT.EXE AVGCTRL.EXE AVGCC32.EXE AVE32.EXE AVCONSOL.EXE AU.EXE ATWATCH.EXE ATRO55EN.EXE ATGUARD.EXE ATCON.EXE ARR.EXE APVXDWIN.EXE APLICA32.EXE APIMONITOR.EXE ANTS.EXE ANTIVIRUS.EXE ANTI-TROJAN.EXE AMON9X.EXE ALOGSERV.EXE ALEVIR.EXE ALERTSVC.EXE AGENTW.EXE AGENTSVR.EXE ADVXDWIN.EXE ADAWARE.EXE ACKWIN32.EXE BEAGLE.EXE d3dupdate.exe sysxp.exe winxp.exe ssgrate.exe jammer2nd.exe fvprotect.exe hxdef.exe VisualGuard.exe GfxAcc.exe RAVMOND.exe Systra.exe MCUPDATE.EXE CFIAUDIT.EXE AVXQUAR.EXE AUTOUPDATE.EXE AUTOTRACE.EXE AUTODOWN.EXE AUPDATE.EXE NUPGRADE.EXE UPDATE.EXE ICSUPP95.EXE ICSSUPPNT.EXE DRWEBUPW.EXE LUALL.EXE AVPUPD.EXE AVWUPD32.EXE ATUPDATER.EXE wuamga.exe taskmanagr.exe wuamgrd.exe wowpos32.exe dailin.exe rasmngr.exe msssss.exe backdoor.rbot.gen_(17).exe backdoor.rbot.gen.exe b055262c.dll RB.EXE IAOIN.EXE OUTPOST.EXE ICQ Spreading It will send messages through ICQ with messages chosen from the following list: funn http://[domain removed]/icon/game.exe :-):-):-) http://[domain removed]/icon/game.exe :-):-) http://[domain removed]/icon/game.exe funny :-);-) http://[domain removed]/icon/game.exe ;-);-);-);-) best game http://[domain removed]/icon/game.exe ;-);-);-) http://[domain removed]/icon/game.exe LOL!! ;-);-);-) http://[domain removed]/claroline142/photo.exe i cried :-) http://[domain removed]/claroline142/photo.exe lol :-):-) my photos (archived) http://[domain removed]/claroline142/photo.exe i now play in game http://[domain removed]/ajr/game.exe :-):-) funy game http://[domain removed]/ajr/game.exe ;-);-);-) fun game http://[domain removed]/ajr/game.exe :-):-):-) P2P Spreading If the worm can locate the Kazaa shared folder, it will copy itself with names picked from: dap53 crack.exe iMeshV4 crack.exe icqpro2003b crack.exe wrar330 crack.exe WinZip 9.0 crack.exe dap71.exe trillian-v2.74h.exe wrar330.exe LimeWireWin.exe Morpheus.exe zlsSetup_45_538_001.exe icqpro2003b.exe iMeshV4.exe WinZip 9.0.exe icqlite.exe kmd.exe trillian 2.0 crack.exe dap53.exe dvdplayer.exe opera7.x crack.exe crazzygirls.scr childporno.pif opera7.7.exe winamp6.exe eroticgirls2.0.exe tropicallagoonss.scr nicegirlsshowv12.scr icq2004-final.exe winamp5.exe Network spreading This variant of the Mydoom worm uses the LSASS vulnerability to infect other hosts. Downloading a backdoor The worm downloads a backdoor from one of websites and activates it. www.masteratwork.com www.professionals-active.com www.il-legno.it www.mercyships.de www.llc.unibo.it www.scionicmusic.com 64.40.98.94

Detection

This worm variant is detected as 'I-Worm.Mydoom.y' since the following FSAV updates: [FSAV_Database_Version]
Version=2004-09-15_01 Technical Details: Alexey Podrezov & Ero Carrera; September 16th, 2004;