Tools
MyDoom.AC
| NAME: | .Mydoom.w, W32/Mydoom.AC@mm |
| SIZE: | 23040 |
Summary
Disinfection
Automatic Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
Additional Details
The worm is a PE executable file 23040 bytes long packed with PECompact and PECBundle file compressors and modified by PE_Patch. The unpacked file's size is over 61 kilobytes.
Installation to system
When run, the worm starts Internet Explorer and goes to 'www.microsucks.com' website as a disguise.
Then the worm creates a mutex 'holla_back_bitches', copies itself as SYSHOSTS.EXE to Windows System Directory and creates a startup key for that file in System Registry:
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MS Updates" = "%WinSysDir%\syshosts.exe"
where "%WinSysDir%" represents Windows System directory.
Spreading in e-mails
The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:
- txt
- htm
- html
- sht
- php
- eml
- msg
- asp
- dbx
- tbb
- adb
- pl
- wab
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
- icrosof
- syma
- msn
- hotmail
- anda
- opho
- borlan
- npris
- xample
- mydom
- @domai
- ruslis
- .gov
- .gov
- .mil
- @foo
- berkeley
- unix
- math
- bsd
- mit.e
- gnu
- fsf.
- ibm
- oogle
- kernel
- linux
- fido
- senet
- @ian
- ripe
- isi.e
- arin.
- rfc-ed
- isc.o
- ecur
- acketst
- pgp
- tanford.e
- utgers.ed
- ample
- info
- root@
- ostmaster@
- ebmaster@
- you
- ugs@
- ating@
- ontact@
- soft
- rivacy
- ervice
- help
- ubmit@
- feste
- cert
- page
- upport
- ntivi
- istser
- ertific
- ccoun
- spm
- Spam
- SPAM
- spam
- abuse
- cafee
- @messagelab
- @avp
- kasp
- winzip
- winrar
- pdate
- irus
- ahoo
- buse@
- sale
The subject of infected e-mails is selected from the following variants:
- album
- You've got a Virtual Postcard!
The body text of infected e-mails is selected from the following variants:
my pics...*sexy*. Heheh! ;)
or
You have just received a new postcard from Flashecard.com! From: To pick up your postcard follow this web address http://www.flashecard.com.viewcard.main.ecard.php?2342 or click the attached link. We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself! (Your message will be available for 30 days.) Please visit our site for more information. http://www.flashecard.com
The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:
- photos_album
- www.flashecard.com?postcard=viewcard?download
The extension of an infected file can be any of the following:
- .scr
- .html.scr
The worm fakes the sender's address. It uses the following list of names to compose the fake address:
- Jennifer
- Barbara
- Linda
- Susan
- Eric
- Kevin
- Mary
- Robert
- John
- Maria
- Alex
- Pamela
- Anna
- Andrew
- Fred
- Jack
- James
- Julie
- Debby
- Claudia
- Matt
- Brent
It uses the following list of domain names to compose the fake address:
- @aol.com
- @hotmail.com
- @yahoo.com
- @msn.com
- @excite.com
- @mail.com
Killing processes
The worm kills processes if it finds any of the following substrings in their names:
- regedit
- task
- msconfig
- AV
- MC
- Av
- Mc
- av
- mc
- IEFrame
- nti
- iru
- ire
- cc
- ecu
- can
- scn
- KV
- fr
Payload
After December 1st, 2004, 01:01:01 the worm shuts down Windows on an infected computer after its file is started. As a result a user can not log in any more.
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]