Summary

A new variant of MyDoom worm - Mydoom.AC, was found in the middle of September 2004. This worm variant can spread in e-mails as a fake FlashEcard virtual postcard.

Additional Details

The worm is a PE executable file 23040 bytes long packed with PECompact and PECBundle file compressors and modified by PE_Patch. The unpacked file's size is over 61 kilobytes.



Installation to system

When run, the worm starts Internet Explorer and goes to 'www.microsucks.com' website as a disguise.

Then the worm creates a mutex 'holla_back_bitches', copies itself as SYSHOSTS.EXE to Windows System Directory and creates a startup key for that file in System Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "MS Updates" = "%WinSysDir%\syshosts.exe"
where "%WinSysDir%" represents Windows System directory.



Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

txt htm html sht php eml msg asp dbx tbb adb pl wab
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

icrosof syma msn hotmail anda opho borlan npris xample mydom @domai ruslis .gov .gov .mil @foo berkeley unix math bsd mit.e gnu fsf. ibm oogle kernel linux fido senet @ian ripe isi.e arin. rfc-ed isc.o ecur acketst pgp tanford.e utgers.ed ample info root@ ostmaster@ ebmaster@ you ugs@ ating@ ontact@ soft rivacy ervice help ubmit@ feste cert page upport ntivi istser ertific ccoun spm Spam SPAM spam abuse cafee @messagelab @avp kasp winzip winrar pdate irus ahoo buse@ sale
The subject of infected e-mails is selected from the following variants:

album You've got a Virtual Postcard!
The body text of infected e-mails is selected from the following variants:

my pics...*sexy*. Heheh! ;)
or

You have just received a new postcard from Flashecard.com!
From:
To pick up your postcard follow this web address http://www.flashecard.com.viewcard.main.ecard.php?2342 or click the attached link.
We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself!
(Your message will be available for 30 days.)
Please visit our site for more information. http://www.flashecard.com
The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

photos_album www.flashecard.com?postcard=viewcard?download
The extension of an infected file can be any of the following:

.scr .html.scr
The worm fakes the sender's address. It uses the following list of names to compose the fake address:

Jennifer Barbara Linda Susan Eric Kevin Mary Robert John Maria Alex Pamela Anna Andrew Fred Jack James Julie Debby Claudia Matt Brent
It uses the following list of domain names to compose the fake address:

@aol.com @hotmail.com @yahoo.com @msn.com @excite.com @mail.com


Killing processes

The worm kills processes if it finds any of the following substrings in their names:

regedit task msconfig AV MC Av Mc av mc IEFrame nti iru ire cc ecu can scn KV fr


Payload

After December 1st, 2004, 01:01:01 the worm shuts down Windows on an infected computer after its file is started. As a result a user can not log in any more.

Detection

This worm variant is detected as 'I-Worm.Mydoom.w' since the following FSAV updates:

[FSAV_Database_Version]
Version=2004-09-14_01

Technical Details: Alexey Podrezov; September 20th, 2004;