Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


MyDoom.E


Aliases:


MyDoom.E
I-Worm.Mydoom.d, W32/Mydoom.e@MM, W32/Mydoom.E.worm
W32/MyDoom-E, WORM_MYDOOM.E

Malware
Email-Worm
W32

Summary

MyDoom.E worm variant appeared on 16th of February 2004. It is functionally similar to previous variants. Like previous variants it spreads in e-mail, Kazaa peer-to-peer network, drops a backdoor and attacks www.sco.com website.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details

MyDoom.E worm's file is a PE executable 24576 bytes long compressed with UPX file compressor. The unpacked file's size is over 35 kilobytes.

The worm's lifespan is from 16:09:18 UTC on 10.02.2004 to 2:28:57 UTC on 14.02.2006. If current date is out of this range, the worm doesn't start its replication and payload routines.


Installation to system

When the worm's file is run, it creates a separate thread that generates garbage data file and then opens it with Notepad. Then this thread terminates.

After that the worm drops SHIMGAPI.DLL file into Windows System folder. This file is a backdoor (hacker's remote access) component. It is started as a thread of Explorer from the following Registry key:

  • [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32]

Finally the worm installs itself to system. It copies itself as TASKMON.EXE file to Windows System directory and creates a startup key for this file in the Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "TaskMon" = "%winsysdir%\taskmon.exe"

where %winsysdir% represents Windows System directory name.


Spreading in e-mails

The worm spreads itself in e-mail messages. To locate e-mail addresses to spread to, the worm reads Address Book file name from the Registry:

  • [HKCU\Software\Microsoft\WAB\WAB4\Wab File Name]

Then it browses through the Address Book file and collects e-mail addresses from there. Additionally the worm looks for e-mail addresses in files with the following extensions:

  • wab
  • pl
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • txt

The worm avoids using e-mail addresses that contain the following substrings:

  • avp
  • syma
  • icrosof
  • msn.
  • hotmail
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • .gov
  • gov.
  • .mil
  • foo.
  • berkeley
  • unix
  • math
  • bsd
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • root
  • info
  • samples
  • postmaster
  • webmaster
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • me
  • bugs
  • rating
  • site
  • contact
  • soft
  • no
  • somebody
  • privacy
  • service
  • help
  • not
  • submit
  • feste
  • ca
  • gold-certs
  • the.bat
  • page
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun

The worm fakes the sender's e-mail address. It composes e-mail addresses from 2 parts: user name and domain name. Here is the list of user names that the worm uses:

  • john
  • alex
  • michael
  • james
  • mike
  • kevin
  • david
  • george
  • sam"
  • andrew
  • jose
  • leo
  • maria
  • jim
  • brian
  • serg
  • mary
  • ray
  • tom
  • peter
  • robert
  • bob
  • jane
  • joe
  • dan
  • dave
  • matt
  • steve
  • smith
  • stan
  • bill
  • bob
  • jack
  • fred
  • ted
  • adam
  • brent
  • alice
  • anna
  • brenda
  • claudia
  • debby
  • helen
  • jerry
  • jimmy
  • julie
  • linda
  • sandra

Here is the list of domain names that the worm uses:

  • aol.com
  • msn.com
  • yahoo.com
  • hotmail.com

The subject for the infected message is selected from the following variants:

  • test
  • hi
  • hello
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Status
  • Error

The body of the infected message can contain one of the following:

  • test
  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The attachment name can be one of the following:

  • document
  • readme
  • doc
  • text
  • file
  • data
  • test
  • message
  • body

The attachment can have 2 extensions. In such case the first extension can be:

  • doc
  • htm
  • tmp

And the second or the only extension can be:

  • pif
  • scr
  • exe
  • cmd
  • bat

The worm can also send itseld inside a ZIP archive.


Spreading in Kazaa file sharing network.

The worm spreads itself in Kazaa file sharing network. When it locates Kazaa shared folder, it copies itself there with one of the following names:

  • winamp5
  • icq2004-final
  • activation_crack
  • strip-girl-2.0bdcom_patches
  • rootkitXP
  • office_crack
  • nuke2004

The following extensions are used for the copied file:

  • bat
  • pif
  • scr
  • exe

Payload

Like its previous variants, MyDoom.E worm tries to perform a DoS (Denial of Service) attack on www.sco.com website. During the attack the worm bombards the website with numerous GET / HTTP requests.

Also the worm drops a backdoor that starts as a thread of Explorer and listens to port 3127 for commands from remote hackers.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.