Threat Description

MyDoom.AF

Details

Aliases: MyDoom.AF, .Mydoom.ab
Category: Malware
Type: Email-Worm
Platform: W32

Summary



A new variant of MyDoom worm - Mydoom.AF, was found on October 27th, 2004. The worm is similar to previous variants.Note: Mydoom.AG was renamed to Mydoom.AF on 9th of November, 2004.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



The worm is a PE executable file 31744 bytes long packed with UPX file compressor. The unpacked file's size is 73728 bytes.

Installation to system

Upon installation the worm copies itself as 'lsasrv.exe' file to Windows System Directory and creates a startup key for that file in System Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lsass" = "%WinSysDir%\lsasrv.exe"

where "%WinSysDir%" represents Windows System directory. If the startup key cal not be created in HKLM (local machine) Registry tree, it is created in HKCU (current user) tree.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

  • wab
  • pl
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • vbs
  • cfg
  • eml
  • cgi
  • wsh
  • msg
  • uin
  • xls
  • jsp
  • xml
  • mdx
  • mbx
  • html
  • htm
  • txt

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

  • avp
  • syma
  • icrosof
  • msn.
  • hotmail
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • .gov
  • gov.
  • .mil
  • foo.
  • berkeley
  • unix
  • math
  • bsd
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • root
  • info
  • samples
  • postmaster
  • webmaster
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • me
  • bugs
  • rating
  • site
  • contact
  • soft
  • no
  • somebody
  • privacy
  • service
  • help
  • not
  • submit
  • feste
  • ca
  • gold-certs
  • the.bat
  • page
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun

Payload

The worm modifies the HOSTS file to block access to the following websites:

  • www.symantec.com
  • securityresponse.symantec.com
  • symantec.com
  • www.sophos.com
  • sophos.com
  • www.mcafee.com
  • mcafee.com
  • liveupdate.symantecliveupdate.com
  • www.viruslist.com
  • viruslist.com
  • f-secure.com
  • www.f-secure.com
  • kaspersky.com
  • kaspersky-labs.com
  • www.avp.com
  • www.kaspersky.com
  • avp.com
  • www.networkassociates.com
  • networkassociates.com
  • www.ca.com
  • ca.com
  • mast.mcafee.com
  • my-etrust.com
  • www.my-etrust.com
  • download.mcafee.com
  • dispatch.mcafee.com
  • secure.nai.com
  • nai.com
  • www.nai.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • liveupdate.symantec.com
  • customer.symantec.com
  • rads.mcafee.com
  • trendmicro.com
  • www.trendmicro.com
  • www.grisoft.com
  • grisoft.com





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More