A new variant of MyDoom worm - Mydoom.AC, was found in the middle of September 2004. This worm variant can spread in e-mails as a fake FlashEcard virtual postcard.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
The worm is a PE executable file 23040 bytes long packed with PECompact and PECBundle file compressors and modified by PE_Patch. The unpacked file's size is over 61 kilobytes.
Installation to system
When run, the worm starts Internet Explorer and goes to 'www.microsucks.com' website as a disguise.
Then the worm creates a mutex 'holla_back_bitches', copies itself as SYSHOSTS.EXE to Windows System Directory and creates a startup key for that file in System Registry:
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "MS Updates" = "%WinSysDir%\syshosts.exe"
where "%WinSysDir%" represents Windows System directory.
Spreading in e-mails
The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
The subject of infected e-mails is selected from the following variants:
- You've got a Virtual Postcard!
The body text of infected e-mails is selected from the following variants:
my pics...*sexy*. Heheh! ;)
You have just received a new postcard from Flashecard.com! From: To pick up your postcard follow this web address http://www.flashecard.com.viewcard.main.ecard.php?2342 or click the attached link. We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself! (Your message will be available for 30 days.) Please visit our site for more information. http://www.flashecard.com
The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:
The extension of an infected file can be any of the following:
The worm fakes the sender's address. It uses the following list of names to compose the fake address:
It uses the following list of domain names to compose the fake address:
The worm kills processes if it finds any of the following substrings in their names:
After December 1st, 2004, 01:01:01 the worm shuts down Windows on an infected computer after its file is started. As a result a user can not log in any more.