MyDoom.AF

Summary

A new variant of MyDoom worm - Mydoom.AF, was found on October 27th, 2004. The worm is similar to previous variants.Note: Mydoom.AG was renamed to Mydoom.AF on 9th of November, 2004.

Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

• Eliminating a Local Network Outbreak

Technical Details

The worm is a PE executable file 31744 bytes long packed with UPX file compressor. The unpacked file's size is 73728 bytes.

Installation to system

Upon installation the worm copies itself as 'lsasrv.exe' file to Windows System Directory and creates a startup key for that file in System Registry:

• [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lsass" = "%WinSysDir%\lsasrv.exe"

where "%WinSysDir%" represents Windows System directory. If the startup key cal not be created in HKLM (local machine) Registry tree, it is created in HKCU (current user) tree.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

• wab
• pl
• adb
• tbb
• dbx
• asp
• php
• sht
• vbs
• cfg
• eml
• cgi
• wsh
• msg
• uin
• xls
• jsp
• xml
• mdx
• mbx
• html
• htm
• txt

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

• avp
• syma
• icrosof
• msn.
• hotmail
• panda
• sopho
• borlan
• inpris
• example
• mydomai
• nodomai
• ruslis
• .gov
• gov.
• .mil
• foo.
• berkeley
• unix
• math
• bsd
• mit.e
• gnu
• fsf.
• ibm.com
• kernel
• linux
• fido
• usenet
• iana
• ietf
• rfc-ed
• sendmail
• arin.
• ripe.
• isi.e
• isc.o
• acketst
• pgp
• tanford.e
• utgers.ed
• mozilla
• root
• info
• samples
• postmaster
• webmaster
• noone
• nobody
• nothing
• anyone
• someone
• your
• you
• me
• bugs
• rating
• site
• contact
• soft
• no
• somebody
• privacy
• service
• help
• not
• submit
• feste
• ca
• gold-certs
• the.bat
• page
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• google
• accoun

Payload

The worm modifies the HOSTS file to block access to the following websites:

• www.symantec.com
• securityresponse.symantec.com
• symantec.com
• www.sophos.com
• sophos.com
• www.mcafee.com
• mcafee.com
• liveupdate.symantecliveupdate.com
• www.viruslist.com
• viruslist.com
• f-secure.com
• www.f-secure.com
• kaspersky.com
• kaspersky-labs.com
• www.avp.com
• www.kaspersky.com
• avp.com
• www.networkassociates.com
• networkassociates.com
• www.ca.com
• ca.com
• mast.mcafee.com
• my-etrust.com
• www.my-etrust.com
• download.mcafee.com
• dispatch.mcafee.com
• secure.nai.com
• nai.com
• www.nai.com
• update.symantec.com
• updates.symantec.com
• us.mcafee.com
• liveupdate.symantec.com
• customer.symantec.com
• rads.mcafee.com
• trendmicro.com
• www.trendmicro.com
• www.grisoft.com
• grisoft.com