Threat Description

MyDoom.AN

Details

Aliases:MyDoom.AN, W32/Mydoom.AN@mm, I-Worm.Mydoom.gen, Email-Worm.Win32.Mydoom.ai
Category:Malware
Type:Email-Worm
Platform:W32

Summary



MyDoom.AN appeared on January 27th, 2005. At the moment of the creation of this description we had no reports about this variant from the field. This worm variant is quite advanced comparing to the previous ones.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



The worm's body is a Windows PE executable file compressed with the MEW executable compressor and was patched by PE_Patch utility. A part of the worm's data area is encrypted.

Installation to system

When the worm's file is run, it copies itself to Windows folder with SERVICES.EXE name and registers this file as a service named 'NetBios Ext32'. This service is automatically started every time with Windows, so the worm is always active in memory.

On Windows 9x and ME the worm adds a startup key for its file to Windows Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "RPCserv32"

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

  • wab
  • uin
  • txt
  • tbb
  • stm
  • sht
  • php
  • msg
  • mht
  • mbx
  • jsp
  • htm
  • eml
  • dht
  • dbx
  • cgi
  • asp

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

  • avp.
  • syman
  • icrosof
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • icrosoft
  • .gov
  • gov.
  • .mil
  • @foo.
  • @iana
  • spam
  • unix
  • linux
  • kasp
  • antivi
  • messagelabs
  • support
  • berkeley
  • unix
  • math
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • icq.com
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun
  • abuse
  • upport
  • www
  • root
  • info
  • samples
  • postmaster
  • rating
  • root
  • news
  • webmaster
  • noone
  • noreply
  • nobody
  • nothing
  • anyone
  • someone
  • rating
  • site
  • contact
  • support
  • somebody
  • privacy
  • service
  • help
  • submit
  • feste
  • gold-certs
  • avp

It should be noted that the worm uses a much improved algorithm for e-mail address recognition. Now it can catch such e-mail addresses as:

  • peter@nospam.domain.com
  • peter-at-domain-dot-com
  • peter at domain dot com
  • peter[at]domain[dot]com

These addresses are translated by the worm to the usable format.

The worm uses the special domain list (see below in the fake sender's e-mail address domain list) and the additional small list of domains to search for e-mail addresses using Google search engine:

  • hotmail
  • aol
  • yahoo
  • msn

The worm spreads itself in e-mail messages. The e-mail message is composed from randomly chosed subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected e-mails is selected from the following variants:

  • Remember me?
  • Hi again
  • Me again
  • Me and you :)
  • Important, see attchmnt
  • My secret
  • Secret message
  • For your eyes only!
  • Look who's naked =)
  • Is it your girl?
  • My girl, for your eyes only
  • Office jokes -))
  • Whoah! Very-very big thing! Take a look!
  • Your friend lying to you..
  • Find yourself on picture :-D
  • Party photos
  • You're next :) take a look
  • Sex in office, funny :]
  • Birthday Party Invitation!
  • <first_name> !!!
  • <first_name> and You!!!
  • Christmas ePostCard
  • Christmas ePostCard from <sender_name>
  • Merry-Christmas!
  • Merry-Christmas from <sender_name>
  • Christmas card
  • Christmas Greeting Card Waiting For You
  • An e-postcard is waiting for you

The body of the emails can one of the following:

  • Remember me?
  • Hi, <sender_name> has sent you an christmas postcard.
  • Merry X-Mas!
  • Happy New Year!
  • Postcard for you
  • New Year Postcard from your friend
  • New Year Postcard from <sender_name>
  • Happy holidays! ;)

The worm sends itself as an attachement, using one of the following names:

  • mult.exe
  • mynewphoto.zip<lots of spaces>.exe
  • coolgame.zip<lots of spaces>.exe
  • fantasy.scr
  • you the best.scr
  • pinguin5.exe
  • hello.pif
  • myfack.pif
  • icqcrack.exe
  • antibush.scr
  • mylove.pif
  • newvirus.exe
  • matrix.scr
  • rulezzz.scr
  • mymusic.pif
  • 1.exe
  • photos.zip
  • sh*tpix.zip
  • sh*t.zip
  • fotos.zip
  • images.zip
  • <sender_name>flashepostcard.exe
  • christmasscreenfrom<sender_name> .scr
  • merry-christmas.scr
  • <first_name>_nude.pif
  • <first_name>_joke.jpg <lots of spaces> .pif
  • <first_name>'s x-mas joke.jpg <lots of spaces> .scr
  • flash x-mas game.exe
  • <first_name>.jpg <lots of spaces> .cpl
  • ePostCard<random_number>.jpg <lots of spaces> .cpl

The worm fakes the sender's e-mail address. The following domains are used to generate the fake address:

  • dailymail.co.uk
  • mail.com
  • hotmail.com
  • gmx.net
  • yahoo.co.uk
  • 1access.net
  • a1isp.net
  • accessus.net
  • address.com
  • ameralinx.net
  • aol.com
  • apci.net
  • arczip.com
  • aristotle.net
  • att.net
  • cableone.net
  • cais.com
  • canada.com
  • cayuse.net
  • ccp.com
  • ccpc.net
  • chello.com
  • compuserve.com
  • core.com
  • cox.net
  • cybernex.net
  • dialupnet.com
  • earthlink.net
  • eclipse.net
  • eisa.com
  • ev1.net
  • excite.com
  • fast.net
  • fcc.net
  • flex.com
  • gbronline.com
  • globalbiz.net
  • globetrotter.net
  • highstream.net
  • hiwaay.net
  • ieway.com
  • inext.fr
  • infoave.net
  • iquest.net
  • isp.com
  • ispwest.com
  • istep.com
  • juno.com
  • loa.com
  • macconnect.com
  • madriver.com
  • msn.com
  • nccw.net
  • netcenter.com
  • netrox.net
  • netzero.net
  • pacific.net.sg
  • palm.net
  • pathlink.com
  • peoplepc.com
  • pics.com
  • rcn.com
  • ricochet.com
  • surfree.com
  • t-online.com
  • t-online.de
  • tiscali.com
  • toad.net
  • ultimanet.com
  • verizon.net
  • wanadoo.com
  • worldcom.com
  • worldshare.net
  • wwc.com
  • yahoo.com
  • ziplink.net

The following first names are used to generate the fake sender's e-mail address (partial list only, the original list contains 500 names):

  • James
  • John
  • Robert
  • Michael
  • William
  • David
  • Richard
  • Charles
  • Joseph
  • Thomas
  • Christopher
  • Daniel
  • Paul
  • Mark
  • Donald
  • George
  • Kenneth
  • Steven
  • Edward
  • Brian
  • Ronald
  • Anthony
  • Kevin
  • Jason
  • Matthew
  • Gary
  • Timothy
  • Jose
  • Larry
  • Jeffrey
  • Frank
  • Scott
  • Eric
  • Stephen
  • Andrew
  • Raymond
  • Gregory
  • Joshua
  • Jerry
  • Dennis

The following first names are used to generate the fake sender's e-mail address (partial list only, the original list contains 500 names):

  • Smith
  • Johnson
  • Williams
  • Jones
  • Brown
  • Davis
  • Miller
  • Wilson
  • Moore
  • Taylor
  • Anderson
  • Thomas
  • Jackson
  • White
  • Harris
  • Martin
  • Thompson
  • Garcia
  • Martinez
  • Robinson
  • Clark
  • Rodriguez
  • Lewis
  • Lee
  • Walker
  • Hall
  • Allen
  • Young
  • Hernandez
  • King
  • Wright
  • Lopez
  • Hill

The worm can add a fake anti-virus scanner report to an infected message. This is done to persuade a recipient that the e-mail was scanned by an anti-virus and no infection was found. The worm uses the following strings:

  • MessageLabs AntiVirus - www.messagelabs.com
  • Bitdefender AntiVirus - www.bitdefender.com
  • MC-Afee AntiVirus - www.mcafee.com
  • Kaspersky AntiVirus - www.kaspersky.com
  • Panda AntiVirus - www.pandasoftware.com
  • Norman AntiVirus - www.norman.com
  • F-Secure AntiVirus - www.f-secure.com
  • Norton AntiVirus - www.symantec.de

Sending ICQ messages

The worm sends ICQ messages with specially constructed URLs that point to specific webpages. The text of such messages can be any of the following:

  • fun game http://<link_to_website>?<file_name>=<file_name> :-)))
  • funy game http://<link_to_website>?<file_name>=<file_name> =)
  • game http://<link_to_website>?<file_name>=<file_name> :-)
  • view my postcard http://<link_to_website>?<file_name>=<file_name>
  • merry-christmas http://<link_to_website>?<file_name>=<file_name> !!!
  • happy x-mas http://<link_to_website>?<file_name>=<file_name> !
  • lol http://<link_to_website>?<file_name>=<file_name>
  • http://<link_to_website>?<file_name>=<file_name>
  • sh*t!!! http://<link_to_website>?<file_name>=<file_name>
  • http://<link_to_website>?<file_name>=<file_name>
  • about Saddam Hussein http://<link_to_website>?<file_name>=<file_name>
  • sex on mars http://<link_to_website>?<file_name>=<file_name> LOL

where <link_to_website> is a link to a website (hardcoded list) and <file_name> can be one of the following:

  • sh*t.zip
  • fotos.zip
  • images.zip
  • <first_name>.zip
  • Christmas ePostCard.zip
  • Christmas ePostCard from <sender_name>.zip
  • Merry/-Christmas!.zip
  • Merry/-Christmas from <sender_name>.zip
  • Christmas card.zip
  • Christmas Greeting Card Waiting For You.zip
  • An e-postcard is waiting for you.zip

Payload

The worm contains a bunch of URLs that it tries to download additional file from. The following sites are checked by the worm for the presence of that additional file:

  • http://benjafieldsracingclub.co.uk/
  • http://bored.kary.ca/
  • http://bossco.co.uk/
  • http://dreamon.cyberdogcastle.com/
  • http://forums.maehara.co.uk/
  • http://www.aartanridge.org.uk/
  • http://www.alfa-pages.co.uk/
  • http://www.aoprojecteden.org/
  • http://www.creativemods.com/
  • http://www.dilvie.com/
  • http://www.eastcoastchoons.co.uk/
  • http://www.euhg.org/
  • http://www.fartdevilstudio.org/
  • http://www.foxalpha.com/
  • http://www.frenchconnexion.org/
  • http://www.petrucciforum.com/
  • http://www.ribaforada.net/
  • http://www.stahlhammer.org/
  • http://www.sundayriders.co.uk/
  • http://www.supermantv.net/
  • http://www.yamamizuryu.org/
  • http://www.foxalpha.com/
  • http://www.hidden-agenda.co.uk/
  • http://www.hooping.org/
  • http://www.hypnobirthing.co.uk/
  • http://www.idiotica.co.uk/
  • http://www.imogenheap.co.uk/
  • http://www.knutsfordcricket.co.uk/
  • http://www.lancer.com.ru/
  • http://www.newgenerationcomics.net/
  • http://www.overcoming/

We are watching these locations in order to get the file that Mydoom is supposed to download and activate on an infected computer. So far we only could download a few files that are a variant of Surila backdoor (Backdoor.Win32.Surila.o).

The worm terminates processes and deletes files with the following names:

  • OUTPOST.EXE
  • IAOIN.EXE
  • RB.EXE
  • b055262c.dll
  • backdoor.rbot.gen.exe
  • backdoor.rbot.gen_(17).exe
  • msssss.exe
  • rasmngr.exe
  • dailin.exe
  • wowpos32.exe
  • wuamgrd.exe
  • taskmanagr.exe
  • wuamga.exe
  • ATUPDATER.EXE
  • AVWUPD32.EXE
  • AVPUPD.EXE
  • LUALL.EXE
  • DRWEBUPW.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • UPDATE.EXE
  • NUPGRADE.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVXQUAR.EXE
  • CFIAUDIT.EXE
  • MCUPDATE.EXE
  • NUPGRADE.EXE
  • Systra.exe
  • RAVMOND.exe
  • GfxAcc.exe
  • VisualGuard.exe
  • hxdef.exe
  • fvprotect.exe
  • jammer2nd.exe
  • ssgrate.exe
  • winxp.exe
  • sysxp.exe
  • d3dupdate.exe
  • BEAGLE.EXE
  • ACKWIN32.EXE
  • ADAWARE.EXE
  • ADVXDWIN.EXE
  • AGENTSVR.EXE
  • AGENTW.EXE
  • ALERTSVC.EXE
  • ALEVIR.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTI-TROJAN.EXE
  • ANTIVIRUS.EXE
  • ANTS.EXE
  • APIMONITOR.EXE
  • APLICA32.EXE
  • APVXDWIN.EXE
  • ARR.EXE
  • ATCON.EXE
  • ATGUARD.EXE
  • ATRO55EN.EXE
  • ATUPDATER.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AU.EXE
  • AUPDATE.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AUTOUPDATE.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCC32.EXE
  • AVGCTRL.EXE
  • AVGNT.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGUARD.EXE
  • AVGW.EXE
  • AVKPOP.EXE
  • AVKSERV.EXE
  • AVKSERVICE.EXE
  • AVKWCTl9.EXE
  • AVLTMAIN.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVSYNMGR.EXE
  • AVWIN95.EXE
  • AVWINNT.EXE
  • AVWUPD.EXE
  • AVWUPD32.EXE
  • AVWUPD32.EXE
  • AVWUPSRV.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE
  • AVXQUAR.EXE
  • BACKWEB.EXE
  • BARGAINS.EXE
  • BD_PROFESSIONAL.EXE
  • BEAGLE.EXE
  • BELT.EXE
  • BIDEF.EXE
  • BIDSERVER.EXE
  • BIPCP.EXE
  • BIPCPEVALSETUP.EXE
  • BISP.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • BLSS.EXE
  • BOOTCONF.EXE
  • BOOTWARN.EXE
  • BORG2.EXE
  • BPC.EXE
  • BRASIL.EXE
  • BS120.EXE
  • BUNDLE.EXE
  • BVT.EXE
  • CCAPP.EXE
  • CCEVTMGR.EXE
  • CCPXYSVC.EXE
  • CDP.EXE
  • CFD.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95CF.EXE
  • CLEAN.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CLEANPC.EXE
  • CLICK.EXE
  • CMD32.EXE
  • CMESYS.EXE
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CONNECTIONMONITOR.EXE
  • CPD.EXE
  • CPF9X206.EXE
  • CPFNT206.EXE
  • CTRL.EXE
  • CV.EXE
  • CWNB181.EXE
  • CWNTDWMO.EXE
  • Claw95.EXE
  • CLAW95CF.EXE
  • DATEMANAGER.EXE
  • DCOMX.EXE
  • DEFALERT.EXE
  • DEFSCANGUI.EXE
  • DEFWATCH.EXE
  • DEPUTY.EXE
  • DLLCACHE.EXE
  • DLLREG.EXE
  • DOORS.EXE
  • DPF.EXE
  • DPFSETUP.EXE
  • DPPS2.EXE
  • DRWATSON.EXE
  • DRWEB32.EXE
  • DRWEBUPW.EXE
  • DSSAGENT.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EFPEADM.EXE
  • EMSW.EXE
  • ENT.EXE
  • ESAFE.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ESCANV95.EXE
  • ESPWATCH.EXE
  • ETHEREAL.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXANTIVIRUS-CNET.EXE
  • EXE.AVXW.EXE
  • EXPERT.EXE
  • EXPLORE.EXE
  • F-AGNT95.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • F-STOPW.EXE
  • FAMEH32.EXE
  • FAST.EXE
  • FCH32.EXE
  • FIH32.EXE
  • FINDVIRU.EXE
  • FIREWALL.EXE
  • FLOWPROTECTOR.EXE
  • FNRB32.EXE
  • FP-WIN.EXE
  • FP-WIN_TRIAL.EXE
  • FPROT.EXE
  • FRW.EXE
  • FSAA.EXE
  • FSAV.EXE
  • FSAV32.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • FSGK32.EXE
  • FSM32.EXE
  • FSMA32.EXE
  • FSMB32.EXE
  • GATOR.EXE
  • GBMENU.EXE
  • GBPOLL.EXE
  • GENERICS.EXE
  • GMT.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • HACKTRACERSETUP.EXE
  • HBINST.EXE
  • HBSRV.EXE
  • HOTACTIO.EXE
  • HOTPATCH.EXE
  • HTLOG.EXE
  • HTPATCH.EXE
  • HWPE.EXE
  • HXDL.EXE
  • HXIUL.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IAMSTATS.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IDLE.EXE
  • IEDLL.EXE
  • IEDRIVER.EXE
  • IFACE.EXE
  • IFW2000.EXE
  • INETLNFO.EXE
  • INFUS.EXE
  • INFWIN.EXE
  • INIT.EXE
  • INTDEL.EXE
  • INTREN.EXE
  • IOMON98.EXE
  • IPARMOR.EXE
  • IRIS.EXE
  • ISASS.EXE
  • ISRV95.EXE
  • ISTSVC.EXE
  • JAMMER.EXE
  • JDBGMRG.EXE
  • JEDI.EXE
  • KAVLITE40ENG.EXE
  • KAVPERS40ENG.EXE
  • KAVPF.EXE
  • KEENVALUE.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KERNEL32.EXE
  • KILLPROCESSSETUP161.EXE
  • LAUNCHER.EXE
  • LDNETMON.EXE
  • LDPRO.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LNETINFO.EXE
  • LOADER.EXE
  • LOCALNET.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LORDPE.EXE
  • LSETUP.EXE
  • LUALL.EXE
  • LUALL.EXE
  • LUAU.EXE
  • LUCOMSERVER.EXE
  • LUINIT.EXE
  • LUSPT.EXE
  • MAPISVC32.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • MCSHIELD.EXE
  • MCTOOL.EXE
  • MCUPDATE.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MD.EXE
  • MFIN32.EXE
  • MFW2EN.EXE
  • MFWENG3.02D30.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • MGUI.EXE
  • MINILOG.EXE
  • MMOD.EXE
  • MONITOR.EXE
  • MOOLIVE.EXE
  • MOSTAT.EXE
  • MPFAGENT.EXE
  • MPFSERVICE.EXE
  • MPFTRAY.EXE
  • MRFLUX.EXE
  • MSAPP.EXE
  • MSBB.EXE
  • MSBLAST.EXE
  • MSCACHE.EXE
  • MSCCN32.EXE
  • MSCMAN.EXE
  • MSCONFIG.EXE
  • MSDM.EXE
  • MSDOS.EXE
  • MSIEXEC16.EXE
  • MSINFO32.EXE
  • MSLAUGH.EXE
  • MSMGT.EXE
  • MSMSGRI32.EXE
  • MSSMMC32.EXE
  • MSSYS.EXE
  • MSVXD.EXE
  • MU0311AD.EXE
  • MWATCH.EXE
  • N32SCANW.EXE
  • NAV.EXE
  • AUTO-PROTECT.NAV80TRY.EXE
  • NAVAP.NAVAPSVC.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVDX.EXE
  • NAVENGNAVEX15.NAVLU32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVSTUB.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NC2000.EXE
  • NCINST4.EXE
  • NDD32.EXE
  • NEOMONITOR.EXE
  • NEOWATCHLOG.EXE
  • NETARMOR.EXE
  • NETD32.EXE
  • NETINFO.EXE
  • NETMON.EXE
  • NETSCANPRO.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETUTILS.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NOD32.EXE
  • NORMIST.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • NOTSTART.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NPFMESSENGER.EXE
  • NPROTECT.EXE
  • NPSCHECK.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • NSSYS32.EXE
  • NSTASK32.EXE
  • NSUPDATE.EXE
  • NT.EXE
  • NTRTSCAN.EXE
  • NTXconfig.EXE
  • NUI.EXE
  • NUPGRADE.EXE
  • NUPGRADE.EXE
  • NVARCH16.EXE
  • NVC95.EXE
  • NWINST4.EXE
  • NWSERVICE.EXE
  • NWTOOL16.EXE
  • OLLYDBG.EXE
  • ONSRVR.EXE
  • OPTIMIZE.EXE
  • OSTRONET.EXE
  • OTFIX.EXE
  • OUTPOSTINSTALL.EXE
  • OUTPOSTPROINSTALL.EXE
  • PADMIN.EXE
  • PANIXK.EXE
  • PATCH.EXE
  • PAVCL.EXE
  • PAVPROXY.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCC2002S902.EXE
  • PCC2K_76_1436.EXE
  • PCCIOMON.EXE
  • PCCNTMON.EXE
  • PCCWIN97.EXE
  • PCCWIN98.EXE
  • PCDSETUP.EXE
  • PCFWALLICON.EXE
  • PCIP10117_0.EXE
  • PCSCAN.EXE
  • PDSETUP.EXE
  • PENIS.EXE
  • PERISCOPE.EXE
  • PERSFW.EXE
  • PERSWF.EXE
  • PF2.EXE
  • PFWADMIN.EXE
  • PGMONITR.EXE
  • PINGSCAN.EXE
  • PLATIN.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • POPSCAN.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • POWERSCAN.EXE
  • PPINUPDT.EXE
  • PPTBC.EXE
  • PPVSTOP.EXE
  • PRIZESURFER.EXE
  • PRMT.EXE
  • PRMVR.EXE
  • PROCDUMP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXPLORERV1.0.EXE
  • PROGRAMAUDITOR.EXE
  • PROPORT.EXE
  • PROTECTX.EXE
  • PSPF.EXE
  • PURGE.EXE
  • PUSSY.EXE
  • PVIEW95.EXE
  • QCONSOLE.EXE
  • QSERVER.EXE
  • RAPAPP.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RAV8WIN32ENG.EXE
  • RAY.EXE
  • RB32.EXE
  • RCSYNC.EXE
  • REALMON.EXE
  • REGED.EXE
  • RESCUE.EXE
  • RESCUE32.EXE
  • RRGUARD.EXE
  • RSHELL.EXE
  • RTVSCAN.EXE
  • RTVSCN95.EXE
  • RULAUNCH.EXE
  • RUNDLL.EXE
  • RUNDLL16.EXE
  • RUXDLL32.EXE
  • SAFEWEB.EXE
  • SAHAGENT.EXE
  • SAVE.EXE
  • SAVENOW.EXE
  • SBSERV.EXE
  • SC.EXE
  • SCAM32.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SCRSVR.EXE
  • SD.EXE
  • SERV95.EXE
  • SERVLCE.EXE
  • SERVLCES.EXE
  • SETUPVAMEEVAL.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SFC.EXE
  • SGSSFW32.EXE
  • SH.EXE
  • SHELLSPYINSTALL.EXE
  • SHN.EXE
  • SHOWBEHIND.EXE
  • SMC.EXE
  • SMS.EXE
  • SMSS32.EXE
  • SOAP.EXE
  • SOFI.EXE
  • SPERM.EXE
  • SPF.EXE
  • SPHINX.EXE
  • SPOOLCV.EXE
  • SPOOLSV32.EXE
  • SPYXX.EXE
  • SREXE.EXE
  • SRNG.EXE
  • SS3EDIT.EXE
  • SSGRATE.EXE
  • SSG_4104.EXE
  • ST2.EXE
  • START.EXE
  • STCLOADER.EXE
  • SUPFTRL.EXE
  • SUPPORT.EXE
  • SUPPORTER5.EXE
  • SVC.EXE
  • SVCHOSTC.EXE
  • SWEEP95.EXE
  • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SYMTRAY.EXE
  • SYSEDIT.EXE
  • SYSTEM.EXE
  • SYSTEM32.EXE
  • SYSUPD.EXE
  • TASKMO.EXE
  • TASKMON.EXE
  • TAUMON.EXE
  • TBSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS-3.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TEEKIDS.EXE
  • TFAK.EXE
  • TFAK5.EXE
  • TGBOB.EXE
  • TITANIN.EXE
  • TITANINXP.EXE
  • TRACERT.EXE
  • TRICKLER.EXE
  • TRJSCAN.EXE
  • TRJSETUP.EXE
  • TROJANTRAP3.EXE
  • TSADBOT.EXE
  • TVMD.EXE
  • TVTMD.EXE
  • UNDOBOOT.EXE
  • UPDAT.EXE
  • UPDATE.EXE
  • UPDATE.EXE
  • UPGRAD.EXE
  • UTPOST.EXE
  • VBCMSERV.EXE
  • VBCONS.EXE
  • VBUST.EXE
  • VBWIN9X.EXE
  • VBWINNTW.EXE
  • VCSETUP.EXE
  • VET32.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VFSETUP.EXE
  • VIR-HELP.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VNLAN300.EXE
  • VNPC3000.EXE
  • VPC32.EXE
  • VPC42.EXE
  • VPFW30S.EXE
  • VPTRAY.EXE
  • VSCAN40.EXE
  • VSCENU6.02D30.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSISETUP.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VSWIN9XE.EXE
  • VSWINNTSE.EXE
  • VSWINPERSE.EXE
  • W32DSM89.EXE
  • W9X.EXE
  • WATCHDOG.EXE
  • WEBDAV.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WFINDV32.EXE
  • WGFE95.EXE
  • WHOSWATCHINGME.EXE
  • WIMMUN32.EXE
  • WIN-BUGSFIX.EXE
  • WIN32.EXE
  • WIN32US.EXE
  • WINACTIVE.EXE
  • WINDOW.EXE
  • WINDOWS.EXE
  • WININETD.EXE
  • WININIT.EXE
  • WININITX.EXE
  • WINLOGIN.EXE
  • WINMAIN.EXE
  • WINPPR32.EXE
  • WINRECON.EXE
  • WINSSK32.EXE
  • WINSTART.EXE
  • WINSTART001.EXE
  • WINTSK32.EXE
  • WINUPDATE.EXE
  • WKUFIND.EXE
  • WNAD.EXE
  • WNT.EXE
  • WRADMIN.EXE
  • WRCTRL.EXE
  • WUPDATER.EXE
  • WUPDT.EXE
  • WYVERNWORKSFIREWALL.EXE
  • XPF202EN.EXE
  • ZAPRO.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • ZONALM2601.EXE
  • ZONEALARM.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • HIJACKTHIS.EXE
  • F-AGOBOT.EXE

Additionally the worm deletes the services with the following names:

  • NETSKY
  • navapsvc
  • NProtectService
  • Norton Antivirus Server
  • VexiraAntivirus
  • dvpinit
  • dvpapi
  • schscnt
  • BackWeb Client - 7681197
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • AVPCC
  • KAVMonitorService
  • Norman NJeeves
  • NVCScheduler
  • nvcoas
  • Norman ZANDA
  • PASSRV
  • SweepNet
  • SWEEPSRV.SYS
  • NOD32ControlCenter
  • NOD32Service
  • PCCPFW
  • Tmntsrv
  • AvxIni
  • XCOMM
  • ravmon8
  • SmcService
  • BlackICE
  • PersFW
  • McAfee Firewall
  • OutpostFirewall
  • NWService
  • NISUM
  • NISSERV
  • vsmon

The worm modifies the HOSTS file on infected computer so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 127.0.0.1, disabling the domain. The following domains are affected:

  • downloads-us1.kaspersky-labs.com
  • twww.avp.com
  • twww.viruslist.com
  • tviruslist.com
  • twww.symantec.com
  • tnetworkassociates.com
  • tsecure.nai.com
  • tdownloads1.kaspersky-labs.com
  • tdownloads2.kaspersky-labs.com
  • tdownloads3.kaspersky-labs.com
  • tdownloads4.kaspersky-labs.com
  • tdownloads-us1.kaspersky-labs.com
  • tdownloads-eu1.kaspersky-labs.com
  • tkaspersky-labs.com
  • twww.networkassociates.com
  • tus.mcafee.com
  • tf-secure.com
  • tavp.com
  • twww.sophos.com
  • tsophos.com
  • twww.ca.com
  • tca.com
  • tsecurityresponse.symantec.com
  • tsymantec.com
  • tmast.mcafee.com
  • tmy-etrust.com
  • twww.kaspersky.com
  • twww.f-secure.com
  • tdispatch.mcafee.com
  • tupdate.symantec.com
  • tnai.com
  • twww.nai.com
  • tliveupdate.symantec.com
  • tcustomer.symantec.com
  • trads.mcafee.com
  • ttrendmicro.com
  • tliveupdate.symantecliveupdate.com
  • twww.mcafee.com
  • tmcafee.com
  • tviruslist.com
  • twww.my-etrust.com
  • tdownload.mcafee.com
  • tupdates.symantec.com
  • tkaspersky.com
  • twww.trendmicro.com

Interesting thing is that the worm enables Registry tools and firewalls on a computer where it is present. But to hide its activities the worm adds its file name to the authorised applications list. As a result the worm's actions does not trigger firewall alerts.

Limited Lifecycle

The worm has a limited lifecycle. After 3rd of February 2005, 00:05 the worm creates the following Registry key value:

  • [HKLM\SOFTWARE\Microsoft\Internet Explorer] "Mshdfgq"

and then deletes its service, installed file and terminates its process.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More