F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : MyDoom.AC

[Summary] | [Detailed Description] | [Detection]



NAME:MyDoom.AC
ALIAS:I-Worm.Mydoom.w, W32/Mydoom.AC@mm
SIZE:23040

Summary

A new variant of MyDoom worm - Mydoom.AC, was found in the middle of September 2004. This worm variant can spread in e-mails as a fake FlashEcard virtual postcard.

Detailed Description

The worm is a PE executable file 23040 bytes long packed with PECompact and PECBundle file compressors and modified by PE_Patch. The unpacked file's size is over 61 kilobytes.

Installation to system

When run, the worm starts Internet Explorer and goes to 'www.microsucks.com' website as a disguise.

Then the worm creates a mutex 'holla_back_bitches', copies itself as SYSHOSTS.EXE to Windows System Directory and creates a startup key for that file in System Registry: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "MS Updates" = "%WinSysDir%\syshosts.exe"

where "%WinSysDir%" represents Windows System directory.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions: 

 txt
 htm
 html
 sht
 php
 eml
 msg
 asp
 dbx
 tbb
 adb
 pl
 wab

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings: 

 icrosof
 syma
 msn
 hotmail
 anda
 opho
 borlan
 npris
 xample
 mydom
 @domai
 ruslis
 .gov
 .gov
 .mil
 @foo
 berkeley
 unix
 math
 bsd
 mit.e
 gnu
 fsf.
 ibm
 oogle
 kernel
 linux
 fido
 senet
 @ian
 ripe
 isi.e
 arin.
 rfc-ed
 isc.o
 ecur
 acketst
 pgp
 tanford.e
 utgers.ed
 ample
 info
 root@
 ostmaster@
 ebmaster@
 you
 ugs@
 ating@
 ontact@
 soft
 rivacy
 ervice
 help
 ubmit@
 feste
 cert
 page
 upport
 ntivi
 istser
 ertific
 ccoun
 spm
 Spam
 SPAM
 spam
 abuse
 cafee
 @messagelab
 @avp
 kasp
 winzip
 winrar
 pdate
 irus
 ahoo
 buse@
 sale

The subject of infected e-mails is selected from the following variants: 

 album
 You've got a Virtual Postcard!

The body text of infected e-mails is selected from the following variants: 

 my pics...*sexy*. Heheh! ;)

or 

 You have just received a new postcard from Flashecard.com!


 From:


 To pick up your postcard follow this web address
 http://www.flashecard.com.viewcard.main.ecard.php?2342
 or click the attached link.


 We hope you enjoy your postcard, and if you do, please
 take a moment to send a few yourself!


 (Your message will be available for 30 days.)


 Please visit our site for more information.
 http://www.flashecard.com

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names: 

 photos_album
 www.flashecard.com?postcard=viewcard?download

The extension of an infected file can be any of the following: 

 .scr
 .html.scr

The worm fakes the sender's address. It uses the following list of names to compose the fake address: 

 Jennifer
 Barbara
 Linda
 Susan
 Eric
 Kevin
 Mary
 Robert
 John
 Maria
 Alex
 Pamela
 Anna
 Andrew
 Fred
 Jack
 James
 Julie
 Debby
 Claudia
 Matt
 Brent

It uses the following list of domain names to compose the fake address: 

 @aol.com
 @hotmail.com
 @yahoo.com
 @msn.com
 @excite.com
 @mail.com

Killing processes

The worm kills processes if it finds any of the following substrings in their names: 

 regedit
 task
 msconfig
 AV
 MC
 Av
 Mc
 av
 mc
 IEFrame
 nti
 iru
 ire
 cc
 ecu
 can
 scn
 KV
 fr

Payload

After December 1st, 2004, 01:01:01 the worm shuts down Windows on an infected computer after its file is started. As a result a user can not log in any more.

Back to the Top


Detection

This worm variant is detected as 'I-Worm.Mydoom.w' since the following FSAV updates:

[FSAV_Database_Version]

Version=2004-09-14_01

Back to the Top


Technical Details: Alexey Podrezov; September 20th, 2004;

F-Secure Corporation