F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : MyDoom.AF

[Summary] | [Detailed Description] | [Detection]



NAME:MyDoom.AF
ALIAS:I-Worm.Mydoom.ab
SIZE:31744

Summary

A new variant of MyDoom worm - Mydoom.AF, was found on October 27th, 2004. The worm is similar to previous variants.

Note: this description has been renamed from Mydoom.AG to Mydoom.AF on 9th of November, 2004.

Detailed Description

The worm is a PE executable file 31744 bytes long packed with UPX file compressor. The unpacked file's size is 73728 bytes.

Installation to system

Upon installation the worm copies itself as 'lsasrv.exe' file to Windows System Directory and creates a startup key for that file in System Registry: 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "lsass" = "%WinSysDir%\lsasrv.exe"

where "%WinSysDir%" represents Windows System directory. If the startup key cal not be created in HKLM (local machine) Registry tree, it is created in HKCU (current user) tree.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions: 

 wab
 pl
 adb
 tbb
 dbx
 asp
 php
 sht
 vbs
 cfg
 eml
 cgi
 wsh
 msg
 uin
 xls
 jsp
 xml
 mdx
 mbx
 html
 htm
 txt

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings: 

 avp
 syma
 icrosof
 msn.
 hotmail
 panda
 sopho
 borlan
 inpris
 example
 mydomai
 nodomai
 ruslis
 .gov
 gov.
 .mil
 foo.
 berkeley
 unix
 math
 bsd
 mit.e
 gnu
 fsf.
 ibm.com
 kernel
 linux
 fido
 usenet
 iana
 ietf
 rfc-ed
 sendmail
 arin.
 ripe.
 isi.e
 isc.o
 acketst
 pgp
 tanford.e
 utgers.ed
 mozilla
 root
 info
 samples
 postmaster
 webmaster
 noone
 nobody
 nothing
 anyone
 someone
 your
 you
 me
 bugs
 rating
 site
 contact
 soft
 no
 somebody
 privacy
 service
 help
 not
 submit
 feste
 ca
 gold-certs
 the.bat
 page
 admin
 icrosoft
 support
 ntivi
 unix
 bsd
 linux
 listserv
 certific
 google
 accoun

Payload

The worm modifies the HOSTS file to block access to the following websites: 

 www.symantec.com
 securityresponse.symantec.com
 symantec.com
 www.sophos.com
 sophos.com
 www.mcafee.com
 mcafee.com
 liveupdate.symantecliveupdate.com
 www.viruslist.com
 viruslist.com
 f-secure.com
 www.f-secure.com
 kaspersky.com
 kaspersky-labs.com
 www.avp.com
 www.kaspersky.com
 avp.com
 www.networkassociates.com
 networkassociates.com
 www.ca.com
 ca.com
 mast.mcafee.com
 my-etrust.com
 www.my-etrust.com
 download.mcafee.com
 dispatch.mcafee.com
 secure.nai.com
 nai.com
 www.nai.com
 update.symantec.com
 updates.symantec.com
 us.mcafee.com
 liveupdate.symantec.com
 customer.symantec.com
 rads.mcafee.com
 trendmicro.com
 www.trendmicro.com
 www.grisoft.com
 grisoft.com

Detection

Mydoom.AF worm variant is detected as 'I-Worm.Mydoom.ab' since the following FSAV updates:

[FSAV_Database_Version]

Version=2004-10-26_01

Back to the Top


Write-Up: Katrin Tocheva; October 27th, 2004;

Technical Details: Alexey Podrezov & Ero Carrera; October 27th, 2004;

F-Secure Corporation