Threat Description

MyDoom.K

Details

Aliases: MyDoom.K, I-Worm.Mydoom.j, W32/MyDoom.K@MM
Category: Malware
Type: Email-Worm
Platform: W32

Summary



MyDoom.K worm variant appeared on May 21st, 2004. It is functionally similar to MyDoom.E variant, but does not spread to Kazaa file sharing network and does not perform a DoS (Denial of Service) attack. The worm drops a backdoor component that listens on port 3127.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



MyDoom.K worm's file is a PE executable 50176 bytes long compressed with a modified UPX file compressor. The backdoor DLL is a 4608 bytes long, also compressed with a modified UPX file compressor.

Installation to system

When the worm's file is run, it creates a separate thread that generates garbage data file and then opens it with Notepad. Then this thread terminates.

After that the worm drops SHIMGAPI.DLL file into Windows System folder. This file is a backdoor (hacker's remote access) component. It is started as a thread of Explorer from the following Registry key:

  • [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32]

Finally the worm installs itself to system. It copies itself as RUNDLL6.EXE file to Windows System directory and creates a startup key for this file in the Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "rundll" = "%winsysdir%\rundll6.exe"

where %winsysdir% represents Windows System directory name.

Additionally the worm deletes the following Registry keys:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "SVHOST" "TaskMon"

Spreading in e-mails

The worm spreads itself in e-mail messages. To locate e-mail addresses to spread to, the worm reads Address Book file name from the Registry:

  • [HKCU\Software\Microsoft\WAB\WAB4\Wab File Name]

Then it browses through the Address Book file and collects e-mail addresses from there. Additionally the worm looks for e-mail addresses in files with the following extensions:

  • wab
  • pl
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm

The worm avoids using e-mail addresses that contain the following substrings:

  • avp
  • syma
  • icrosof
  • msn.
  • hotmail
  • panda
  • drweb
  • dials
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • microsoft
  • .gov
  • gov.
  • .mil
  • foo.
  • berkeley
  • unix
  • math
  • bsd
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • root
  • info
  • samples
  • postmaster
  • webmaster
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • me
  • bugs
  • rating
  • site
  • contact
  • soft
  • no
  • somebody
  • privacy
  • service
  • help
  • not
  • submit
  • feste
  • ca
  • gold-certs
  • the.bat
  • page
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun
  • www
  • spam
  • smp
  • abuse

The worm can fake the sender's e-mail address. It composes e-mail addresses from 2 parts: user name and domain name. Here is the list of user names that the worm uses:

  • john
  • john
  • alex
  • michael
  • james
  • mike
  • kevin
  • david
  • george
  • sam
  • andrew
  • jose
  • leo
  • maria
  • jim
  • brian
  • serg
  • mary
  • ray
  • tom
  • peter
  • robert
  • bob
  • jane
  • joe
  • dan
  • dave
  • matt
  • steve
  • smith
  • stan
  • bill
  • bob
  • jack
  • fred
  • ted
  • adam
  • brent
  • alice
  • anna
  • brenda
  • claudia
  • debby
  • helen
  • jerry
  • jimmy
  • julie
  • linda
  • sandra

Here is the list of domain names that the worm uses:

  • aol.com
  • msn.com
  • yahoo.com
  • hotmail.com

The subject for the infected message is selected from the following variants:

  • game
  • Ok
  • thank
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Circus
  • Error

The body of the infected message can contain one of the following:

  • test
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.

The attachment name can be one of the following:

  • document
  • readme
  • doc
  • text
  • file
  • data
  • test
  • message
  • body

The attachment can have 2 extensions. In such case the first extension can be:

  • doc
  • htm
  • txt

And the second or the only extension can be:

  • pif
  • scr
  • exe
  • cmd
  • bat

The worm can also send itseld inside a ZIP archive.

Payload

The worm drops a backdoor component that starts as a thread of Explorer and listens to port 3127 for commands from remote hackers.

Additionally the worm tries to connect to 'sipper112.netfirms.com' website. At the moment of creation of this description the site was not accessible because it exceeded its its daily bandwidth limit.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More