F-Secure
Tools
MyDoom.F
| Name : | MyDoom.F |
| Category: | Malware |
| Type: | Virus |
| Platform: | Win32 |
Summary
A new variant of MyDoom worm - Mydoom.F was found on February 20th, 2004
It is functionally similar to the original variant but it
does not attack www.sco.com. Mydoom.F tries to perform a
Distributed Denial-of-Service attack on www.microsoft.com and
also www.riaa.com.
Mydoom.A description is available at:
http://www.f-secure.com/v-descs/novarg.shtml
Mydoom.B description is available at:
http://www.f-secure.com/v-descs/mydoom_b.shtml
Disinfection
Special Disinfection Tool
F-Secure has developed a special disinfection tool for this worm.
The tool will detect and remove an active Mydoom.F infection from
the computer.
The Mydoom removal tool can be downloaded in a ZIP file from:
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoomf.zip
http://www.f-secure.com/tools/f-mydoomf.zip
The unpacked version is available from:
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoomf.exe
http://www.f-secure.com/tools/f-mydoomf.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoomf.txt
http://www.f-secure.com/tools/f-mydoomf.txt
Additional Details
When copying itself, the worm will overwrite part of its executable with random data. Starting from 28000 bytes from its beginning it will write a 1 kB chunk of random data, making the file seem variable.
Some of the strings are scrambled using the same method as in the original
Mydoom, ROT13.
It will add an entry in the registry in:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
or, if failed in
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
containing:
= %sysdir%\.exe
Email Propagation
The worm will compose emails with the following characteristics.
Subjects from the list:
(Some of these are also used by the Sober.C worm)
Message body is selected from:
Attachment names will be chosen from:
And one of the following extensions will be appended:
Payload
In addition to the Distributed Denial-of-Service attack the worm tries to delete several file types from the victim's hard drive such as pictures, movies and MS Office documents.
The worm's code in charge of that is the same that harvests e-mail addresses. It will check every drive from 'C' to 'Z', and for each of the folders on those, it will go through each file, performing the following actions:
-If the file is smaller the 40 bytes, it will skip it.
-It will extract the extension and match it against the following list:
If any of those is matched, it will attempt to extract any e-mail address
contained within.
-Next, the extension will be matched against:
The worm will delete the files with a given probability, so only a given
percentage of the occasions certain types of files will be deleted. The
following table gives those percentages:
Once the scan of the machine and its drives is finished, it will sleep for 32 seconds and start again.
Backdoor
This variant, as the previous ones, also drops a backdoor listening in port 1080.
Some of the strings are scrambled using the same method as in the original
Mydoom, ROT13.
It will add an entry in the registry in:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
or, if failed in
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
containing:
= %sysdir%\.exe
Email Propagation
The worm will compose emails with the following characteristics.
Subjects from the list:
(Some of these are also used by the Sober.C worm)
- test
- hi
- hello
- Returned Mail
- Confirmation Required
- Confirmation
- Registration confirmation
- please reply
- please read
- Read this message
- Readme
- Important
- Your account has expired
- Expired account
- Notification
- automatic responder
- automatic notification
- You have 1 day left
- Warning
- Information
- For your information
- For you
- Something for you
- Read it immediately
- Read this
- Read it immediately!
- Your credit card
- Schedule
- Accident
- Attention
- stolen
- news
- recent news
- Wanted
- fake
- unknown
- bug
- forget
- read now!
- Current Status
- Your request is being processed
- Your order is being processed
- Your request was registered
- Your order was registered
- Re:
- Undeliverable message
- Love is...
- Love is
- Your account is about to be expired
- Your IP was logged
- You use illegal File Sharing...
- Thank You very very much
- hi, it's me
- Approved
- Re: Approved
- Details
- Re: Details
- Thank you
- Re: Thank you
- Announcement
Message body is selected from:
- test
- You are bad
- Take it
- Reply
- Please, reply
- Information about you
- Greetings
- See you
- Here it is
- We have received this document from your e-mail.
- Kill the writer of this document!
- Something about you
- I have your password :)
- You are a bad writer
- Is that yours?
- Is that from you?
- I wait for your reply.
- Here is the document.
- Read the details.
- I'm waiting
- Okay
- Everything ok?
- Check the attached document.
- The document was sent in compressed format.
- Please see the attached file for details
- See the attached file for details
- Details are in the attached document. You need Microsoft Office to open it.
Attachment names will be chosen from:
- msg
- doc
- document
- readme
- text
- file
- data
- test
- message
- body
- details
- creditcard
- attachment
- stuff
- me
- post
- posting
- textfile
- info
- information
- note
- notes
- product
- bill
- check
- ps
- money
- about
- story
- list
- joke
- jokes
- friend
- site
- website
- object
- mail2
- part1
- part4
- part2
- part3
- misc
- disc
- paypal
- approved
- details
- your_document
- image
- resume
- photo
And one of the following extensions will be appended:
- exe
- scr
- com
- pif
- bat
- cmd
Payload
In addition to the Distributed Denial-of-Service attack the worm tries to delete several file types from the victim's hard drive such as pictures, movies and MS Office documents.
The worm's code in charge of that is the same that harvests e-mail addresses. It will check every drive from 'C' to 'Z', and for each of the folders on those, it will go through each file, performing the following actions:
-If the file is smaller the 40 bytes, it will skip it.
-It will extract the extension and match it against the following list:
- .txt
- .htm
- .sht
- .php
- .asp
- .dbx
- .tbb
- .adb
- .eml
- .pl
- .msg
- .vbs
- .mht
- .oft
- .uin
- .rtf
- .ods
- .mmf
- .nch
- .mbx
- .wab
- .mdb
If any of those is matched, it will attempt to extract any e-mail address
contained within.
-Next, the extension will be matched against:
- .doc
- .xls
- .sav
- .jpg
- .avi
- .bmp
The worm will delete the files with a given probability, so only a given
percentage of the occasions certain types of files will be deleted. The
following table gives those percentages:
- .doc 40%
- .xls 60%
- .sav 95%
- .jpg 8%
- .avi 10%
- .bmp 15%
Once the scan of the machine and its drives is finished, it will sleep for 32 seconds and start again.
Backdoor
This variant, as the previous ones, also drops a backdoor listening in port 1080.