1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




MyDoom.AC

NAME:.Mydoom.w, W32/Mydoom.AC@mm
SIZE:23040

Summary

A new variant of MyDoom worm - Mydoom.AC, was found in the middle of September 2004. This worm variant can spread in e-mails as a fake FlashEcard virtual postcard.

Disinfection


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Additional Details

The worm is a PE executable file 23040 bytes long packed with PECompact and PECBundle file compressors and modified by PE_Patch. The unpacked file's size is over 61 kilobytes.



Installation to system

When run, the worm starts Internet Explorer and goes to 'www.microsucks.com' website as a disguise.

Then the worm creates a mutex 'holla_back_bitches', copies itself as SYSHOSTS.EXE to Windows System Directory and creates a startup key for that file in System Registry:

    • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
      "MS Updates" = "%WinSysDir%\syshosts.exe"

    where "%WinSysDir%" represents Windows System directory.



    Spreading in e-mails

    The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

    • txt
    • htm
    • html
    • sht
    • php
    • eml
    • msg
    • asp
    • dbx
    • tbb
    • adb
    • pl
    • wab

    The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

    • icrosof
    • syma
    • msn
    • hotmail
    • anda
    • opho
    • borlan
    • npris
    • xample
    • mydom
    • @domai
    • ruslis
    • .gov
    • .gov
    • .mil
    • @foo
    • berkeley
    • unix
    • math
    • bsd
    • mit.e
    • gnu
    • fsf.
    • ibm
    • oogle
    • kernel
    • linux
    • fido
    • senet
    • @ian
    • ripe
    • isi.e
    • arin.
    • rfc-ed
    • isc.o
    • ecur
    • acketst
    • pgp
    • tanford.e
    • utgers.ed
    • ample
    • info
    • root@
    • ostmaster@
    • ebmaster@
    • you
    • ugs@
    • ating@
    • ontact@
    • soft
    • rivacy
    • ervice
    • help
    • ubmit@
    • feste
    • cert
    • page
    • upport
    • ntivi
    • istser
    • ertific
    • ccoun
    • spm
    • Spam
    • SPAM
    • spam
    • abuse
    • cafee
    • @messagelab
    • @avp
    • kasp
    • winzip
    • winrar
    • pdate
    • irus
    • ahoo
    • buse@
    • sale

    The subject of infected e-mails is selected from the following variants:

    • album
    • You've got a Virtual Postcard!

    The body text of infected e-mails is selected from the following variants:

     my pics...*sexy*. Heheh! ;)
    

    or

     You have just received a new postcard from Flashecard.com!
    
    
     From:
    
    
     To pick up your postcard follow this web address
     http://www.flashecard.com.viewcard.main.ecard.php?2342
     or click the attached link.
    
    
     We hope you enjoy your postcard, and if you do, please
     take a moment to send a few yourself!
    
    
     (Your message will be available for 30 days.)
    
    
     Please visit our site for more information.
     http://www.flashecard.com
    

    The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

    • photos_album
    • www.flashecard.com?postcard=viewcard?download

    The extension of an infected file can be any of the following:

    • .scr
    • .html.scr

    The worm fakes the sender's address. It uses the following list of names to compose the fake address:

    • Jennifer
    • Barbara
    • Linda
    • Susan
    • Eric
    • Kevin
    • Mary
    • Robert
    • John
    • Maria
    • Alex
    • Pamela
    • Anna
    • Andrew
    • Fred
    • Jack
    • James
    • Julie
    • Debby
    • Claudia
    • Matt
    • Brent

    It uses the following list of domain names to compose the fake address:

    • @aol.com
    • @hotmail.com
    • @yahoo.com
    • @msn.com
    • @excite.com
    • @mail.com

    Killing processes

    The worm kills processes if it finds any of the following substrings in their names:

    • regedit
    • task
    • msconfig
    • AV
    • MC
    • Av
    • Mc
    • av
    • mc
    • IEFrame
    • nti
    • iru
    • ire
    • cc
    • ecu
    • can
    • scn
    • KV
    • fr

    Payload

    After December 1st, 2004, 01:01:01 the worm shuts down Windows on an infected computer after its file is started. As a result a user can not log in any more.