Threat Description

MyDoom.G

Details

Aliases:MyDoom.G
Category:Malware
Type:Worm
Platform:W32

Summary



A new variant of MyDoom worm - Mydoom.G was found on March 3rd, 2004. Mydoom. A description is available at: Novarg.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



Mydoom.G is functionally similar to the original variant but it contains this hidden message: to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. They may be called skynets, but not your shitty application.

Apparently, the author of Mydoom wanted to send a message to the authors of the Netsky worm:

The executable is packed with unmodified UPX, and a minority of the strings are scrambled as in the first variants of the worm, using the old fashioned ROT13.

Email Spreading

The emails sent by Mydoom.G will contain one of the following subjects:

  • For your eyes only
  • micro$oft must die. support us!
  • Micro$oft
  • some stuff
  • Your profile
  • just some stuff
  • See you soon
  • Auto-reply
  • Address verification
  • Your account is about to be expired
  • Your account is expired
  • Expired account
  • Bank information
  • Registration rejected
  • Rejected
  • excuse me
  • photo
  • my photos
  • Alert
  • Warning
  • Attention
  • hey!
  • read!!!
  • i can tell you the future
  • your chance
  • please read
  • corrupted
  • missed
  • unknown
  • Microsoft
  • join
  • we're unable to process your request
  • i need you
  • Interesting
  • we're experiencing technical problems
  • Empty
  • Automatic notification
  • Reply
  • beauty
  • kleopatra
  • kate
  • dear friend!
  • Response
  • Request
  • notification
  • anna
  • price list
  • hey
  • fw:
  • re:
  • question
  • report
  • how are you?
  • :-)
  • hello! :)
  • hi! :)
  • confirmed
  • Email verification
  • verification
  • see you
  • You have been successfully registered
  • Please, confirm the registration
  • Registration
  • Your details
  • Your account details
  • service
  • melissa
  • maria
  • pamela
  • jessica
  • your website
  • your text
  • your music
  • your letter
  • your archive
  • thank you
  • thanks
  • thanks!
  • your document
  • my details
  • here is the document
  • here
  • hello
  • spreadsheet
  • excel
  • Your request
  • do you still love me
  • do you love me
  • greetings
  • hello my friend
  • hi!
  • account details
  • your account
  • from me
  • Daily Report
  • summary
  • price-list
  • pricelist

It might additionally contain any of the following:

  • Re:
  • Fw:
  • Returned mail:

to the subject.

Message bodies are chosen from:

  • Here it is
  • Please, read and let me know what do you feel
  • Full message is in the attached document
  • Open the document
  • Test
  • Here is the document
  • Please, reply
  • Re:
  • See you
  • Okay
  • Look at the attached file
  • Look at the document
  • Read this
  • See the attached document
  • See the attached message
  • See attachment
  • See attachemnt
  • Read the document
  • Details are in the attached document
  • Hi! Check the attachment for details
  • Your file is attached
  • Your document is attached
  • See the attached file for details
  • Please read the attached file
  • Please have a look at the attached file
  • Here is the file

The attachment filename will be composed from combining the any of the following filenames:

  • attachment
  • Letter
  • attach
  • att
  • file
  • payment
  • check
  • bill
  • stuff
  • doc
  • description
  • information
  • info
  • mail
  • msg
  • paypal
  • TextFile
  • music
  • MoreInfo
  • misc
  • AttachedFile
  • note
  • posting
  • post
  • object
  • news
  • readme
  • text
  • for_you
  • pic
  • letter
  • document
  • application
  • all_document
  • part2
  • AttachedDocument
  • message_part2
  • details
  • message_details
  • message
  • Document
  • msg2
  • more
  • test
  • TextDocument
  • price
  • reply
  • response
  • account
  • problem
  • found
  • important
  • archive
  • nothing

and the following extensions:

  • scr
  • pif
  • cmd
  • exe
  • bat
  • com

Infection Payload

The worm will go through all the machines' drives and folder on them and performing the following actions on the found files.

Mydoom will harvest email addresses from files with the extensions:

  • htm
  • php
  • txt
  • sht
  • pl
  • asp
  • mbx
  • nch
  • mmf
  • eml
  • msg
  • dbx
  • rtf
  • uin
  • tbb
  • adb
  • mht
  • wab

If a file with extension PIF is found, it will overwrite 8 out of 10 times.

If the 'target' file has an extension among:

  • wav
  • mp3
  • mp4
  • wma
  • avi
  • jpg
  • doc
  • xls

With a probability of 95% it will copy itself to a filename with the same name as the 'target' file, plus an the extension 'EXE' 8 out of 10 times and 'SCR' otherwise.

DDoS Payload

Mydoom.G will attempt to launch a DDoS attack against Symantec. When performing the attack, it will try to connect to either symantec.com or www.symantec.com. It will launch from 8 up to 77 of threads, requesting Symantec's main page.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More