1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. MyDoom.AM

MyDoom.AM

NAME:W32/Mydoom.AM@mm, Email-Worm.Win32.Mydoom.ag
SIZE:32768

Summary

A new variant of MyDoom worm - Mydoom.AM, was found on January 25th, 2005. It spreads in e-mails with different subject and body texts, and attempts to spread in several P2P networks.

Disinfection

F-Secure provides the special disinfection utility to eliminate Mydoom.AM worm infection. You can download this utility from our ftp and web sites:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.zip

http://www.f-secure.com/tools/f-mydoom.zip

The unpacked version is available from these locations:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.exe

http://www.f-secure.com/tools/f-mydoom.exe

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.txt

http://www.f-secure.com/tools/f-mydoom.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations. The JAR package with the tool can be downloaded from these locations:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.jar

http://www.f-secure.com/tools/f-mydoom.jar

Detailed Description


The worm is a PE executable file 32768 bytes long packed with UPX file compressor. The unpacked file's size is over 76 KiB.

Installation to system

When run, the worm drops a file "Mes#wtelw" in temporary folder and writes some random data in the file. Then it opens this file in notepad as a decoy.

After the notepad is closed, the worm creates a mutex named "-=RTSW.Smash 0a2a0=-" and copies itself as

%Sysdir%\lsasrv.exe
where %Sysdir% is the Windows system directory. On default install of Windows XP, that is c:\Windows\system32. It also drops the following files:

%Sysdir%\version.ini hserv.sys
version.ini contains supposedly the worm version number (0.20) and hserv.sys is encrypted data file containing web sites the worm contacts for instructions.

The worm installs the following registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lsass" = %Sysdir%\lsasrv.exe
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "explorer.exe %Sysdir%\lsasrv.exe"
This will ensure that the worm will be started on next Windows startup.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

txt htm sht php cgi hta htc xht stm ssi inc jsp xml dlt xsd xst rss rdf lbi dwt asa asc asm csp vbp conf tpl jst wml vbs edm asp dbx tbb adb wab
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

avp syma icrosof msn. hotmail panda sopho borlan inpris example mydomai nodomai ruslis .gov gov. .mil foo. berkeley unix math bsd mit.e gnu fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst pgp tanford.e utgers.ed mozilla
The subject of infected e-mails is selected from the following variants:

Good day Do not reply to this email hello Mail Delivery System Attention!!! Mail Transaction Failed Server Report Status Error
The body of the emails can one of the following:

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attention! New self-spreading virus! Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more. To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment. (c) 2004 Networks Associates Technology, Inc. All Rights Reserved
New terms and conditions for credit card holders Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web. Thank you, The World Bank Group (c) 2004 The World Bank Group, All Rights Reserved
Thank you for registering at WORLDXXXPASS.COM All your payment info, login and password you can find in the attachment file. It's a real good choise to go to WORLDXXXPASS.COM
Attention! Your IP was logged by The Internet Fraud Complaint Center Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted. This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center


The worm sends itself as an attachement, using one of the following names:

document readme doc rules file data docs message body
with one of the following extensions appended:

.bat .cmd .exe .scr .pif
Spreading in P2P networks

The worm will copy itself in folders used by Kazaa, Morpheus, iMesh, eDonkey and Limewire. It uses of the following filenames:

winamp5 icq2004-final activation_crack K-LiteCodecPack2.34a dcom_patches adultpaawds winxp_patch Ad-awarere avpprokey NeroBROM6.3.1.27 porno
with one of the following extensions appended:

.bat .exe .pif .bat
Payload

The worm tries to contact several web sites and download instructions. These can instruct the worm to download and execute additional files.

The worm modifies the hosts file on infected computer so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 127.0.0.1, disabling the domain. The following domains are affected:

www.symantec.com securityresponse.symantec.com www.sophos.com sophos.com www.mcafee.com mcafee.com liveupdate.symantecliveupdate.com www.viruslist.com viruslist.com www.f-secure.com f-secure.com kaspersky.com kaspersky-labs.com www.avp.com avp.com www.kaspersky.com www.networkassociates.com networkassociates.com www.ca.com ca.com mast.mcafee.com www.my-etrust.com my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com nai.com update.symantec.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com www.trendmicro.com trendmicro.com www.grisoft.com grisoft.com
It also tries to terminate several Firewall and Anti-Virus related processes.

Detection



F-Secure Anti-Virus detects Mydoom.AM worm with the following update:

[FSAV_Database_Version]
Version=2005-01-25_01

Description: Katrin Tocheva; January 25th, 2005;

Technical Details: Jarkko Turkulainen, Gergely Erdelyi, Alexey Podrezov; January 25th, 2005;

Description Updated: Alexey Podrezov, February 1st, 2005;