F-Secure Virus Descriptions : MyDoom.AM

 %Sysdir%\lsasrv.exe

where %Sysdir% is the Windows system directory. On default install of Windows XP, that is c:\Windows\system32. It also drops the following files:

 %Sysdir%\version.ini
 hserv.sys

version.ini contains supposedly the worm version number (0.20) and hserv.sys is encrypted data file containing web sites the worm contacts for instructions.

The worm installs the following registry keys:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "lsass" = %Sysdir%\lsasrv.exe

 [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
 "Shell" = "explorer.exe %Sysdir%\lsasrv.exe"

This will ensure that the worm will be started on next Windows startup.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

 txt
 htm
 sht
 php
 cgi
 hta
 htc
 xht
 stm
 ssi
 inc
 jsp
 xml
 dlt
 xsd
 xst
 rss
 rdf
 lbi
 dwt
 asa
 asc
 asm
 csp
 vbp
 conf
 tpl
 jst
 wml
 vbs
 edm
 asp
 dbx
 tbb
 adb
 wab

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

 avp
 syma
 icrosof
 msn.
 hotmail
 panda
 sopho
 borlan
 inpris
 example
 mydomai
 nodomai
 ruslis
 .gov
 gov.
 .mil
 foo.
 berkeley
 unix
 math
 bsd
 mit.e
 gnu
 fsf.
 ibm.com
 google
 kernel
 linux
 fido
 usenet
 iana
 ietf
 rfc-ed
 sendmail
 arin.
 ripe.
 isi.e
 isc.o
 secur
 acketst
 pgp
 tanford.e
 utgers.ed
 mozilla

The subject of infected e-mails is selected from the following variants:

 Good day
 Do not reply to this email
 hello
 Mail Delivery System
 Attention!!!
 Mail Transaction Failed
 Server Report
 Status
 Error

The body of the emails can one of the following:

 Mail transaction failed. Partial message is available.

 The message contains Unicode characters and has been sent as a binary attachment.

 The message cannot be represented in 7-bit ASCII encoding and has been sent as a
 binary attachment.

 Attention! New self-spreading virus!
 Be careful, a new self-spreading virus called "RTSW.Smash"
 spreading very fast via e-mail and P2P networks. It's about
 two million people infected and it will be more. To avoid
 your infection by this virus and to stop it we provide you
 with full information how to protect yourself against it and
 also including free remover. Your can find it in the attachment.
 (c) 2004 Networks Associates Technology, Inc. All Rights Reserved

 New terms and conditions for credit card holders
 Here a new terms and conditions for credit card holders using
 a credit cards for making purchase in the Internet in the attachment.
 Please, read it carefully. If you are not agree with new terms and
 conditions do not use your credit card in the World Wide Web.
 Thank you, The World Bank Group
 (c) 2004 The World Bank Group, All Rights Reserved

 Thank you for registering at WORLDXXXPASS.COM
 All your payment info, login and password you can find in the
 attachment file. It's a real good choise to go to
 WORLDXXXPASS.COM

 Attention! Your IP was logged by The Internet Fraud Complaint Center
 Your IP was logged by The Internet Fraud Complaint Center. There was
 a fraud attempt logged by The Internet Fraud Complaint Center from
 your IP. This is a serious crime, so all records was sent to the FBI.
 All information you can find in the attachment. Your IP was flagged
 and if there will be anover attemption you will be busted.
 This message is brought to you by the Federal Bureau of Investigation
 and the National White Collar Crime Center

The worm sends itself as an attachement, using one of the following names:

 document
 readme
 doc
 rules
 file
 data
 docs
 message
 body

with one of the following extensions appended:

 .bat
 .cmd
 .exe
 .scr
 .pif

Spreading in P2P networks

The worm will copy itself in folders used by Kazaa, Morpheus, iMesh, eDonkey and Limewire. It uses of the following filenames:

 winamp5
 icq2004-final
 activation_crack
 K-LiteCodecPack2.34a
 dcom_patches
 adultpaawds
 winxp_patch
 Ad-awarere
 avpprokey
 NeroBROM6.3.1.27
 porno

with one of the following extensions appended:

 .bat
 .exe
 .pif
 .bat

Payload

The worm tries to contact several web sites and download instructions. These can instruct the worm to download and execute additional files.

The worm modifies the hosts file on infected computer so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 127.0.0.1, disabling the domain. The following domains are affected:

 www.symantec.com
 securityresponse.symantec.com
 www.sophos.com
 sophos.com
 www.mcafee.com
 mcafee.com
 liveupdate.symantecliveupdate.com
 www.viruslist.com
 viruslist.com
 www.f-secure.com
 f-secure.com
 kaspersky.com
 kaspersky-labs.com
 www.avp.com
 avp.com
 www.kaspersky.com
 www.networkassociates.com
 networkassociates.com
 www.ca.com
 ca.com
 mast.mcafee.com
 www.my-etrust.com
 my-etrust.com
 download.mcafee.com
 dispatch.mcafee.com
 secure.nai.com
 nai.com
 update.symantec.com
 updates.symantec.com
 us.mcafee.com
 liveupdate.symantec.com
 customer.symantec.com
 rads.mcafee.com
 www.trendmicro.com
 trendmicro.com
 www.grisoft.com
 grisoft.com

It also tries to terminate several Firewall and Anti-Virus related processes.

Back to the Top

Detection

F-Secure Anti-Virus detects Mydoom.AM worm with the following update:

[FSAV_Database_Version]

Version=2005-01-25_01

Back to the Top

Description: Katrin Tocheva; January 25th, 2005;

Technical Details: Jarkko Turkulainen, Gergely Erdelyi, Alexey Podrezov; January 25th, 2005;

Description Updated: Alexey Podrezov, February 1st, 2005;

F-Secure Corporation