Threat Description

MyDoom.L

Details

Aliases: MyDoom.L, .Mydoom.L
Category: Malware
Type: Email-Worm
Platform: W32

Summary



A new variant of the MyDoom worm was found on July 19th, 2004 It is similar to previous variants. It spreads through email and copies itself to folders used by FTP and P2P software.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



The executable is packed with unmodified UPX.

When executed it will copy itself to:

  • %windir%\lsass.exe

Where %windir% is the main Windows folder.

And create the following registry key.

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

or

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

and sets the value:

  • "Traybar" = %windir%\lsass.exe

Email Spreading

The emails sent by Mydoom.L will contain one of the following subjects:

  • say helo to my litl friend
  • click me baby, one more time
  • hello
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error

It may also compose the subject randomly.

Message bodies are chosen from:

 The original message was included as attachment


 This Message was undeliverable due to the following reason:
 Your message was not delivered because the destination computer was
 not reachable within the allowed queue period. The amount of time
 a message is queued before it is returned depends on local configura-
 tion parameters.
 Most likely there is a network problem that prevented delivery, but
 it is also possible that the computer is turned off, or does not
 have a mail system running right now.
 Your message was not delivered within [text filled by the worm] days:
 Host $i is not responding.
 The following recipients did not receive this message:
 <[text filled by the worm]>
 Please reply to postmaster@[text filled by the worm]
 if you feel this message to be in error.


 The original message was received at [text filled by the worm]
 from [text filled by the worm]
 ----- The following addresses had permanent fatal errors -----
 <[text filled by the worm]>
 ----- Transcript of session follows -----
   while talking to [text filled by the worm].:
 >>> MAIL From:[text filled by the worm]
 <<< 501 [text filled by the worm]... Refused


 The original message was received at $w
 from [text filled by the worm]
 ----- The following addresses had permanent fatal errors -----
 <[text filled by the worm]>

The attachment filename will be composed from combining the any of the following filenames:

  • readme
  • transcript
  • mail
  • letter
  • file
  • text
  • attachment
  • document
  • message

and the following extensions:

  • .scr
  • .exe
  • .com
  • .pif
  • .bat
  • .cmd

It can also send ZIP files containing the worm. In that case the file inside the ZIP may have a filename resembling an email address or an extension followed by a large number of whitespaces finished with an executable extension.

Other spreading techniques

The worm will look for folder with the following text strings on them:

  • incoming
  • ftproot
  • download
  • shar

If any of them are found, it will copy itself inside those folders with names composed from:

  • index
  • Kazaa Lite
  • Harry Potter
  • ICQ 4 Lite
  • WinRAR.v.3.2.and.key
  • Winamp 5.0 (en) Crack
  • Winamp 5.0 (en)

And followed by:

  • .scr
  • .com
  • .exe
  • .ShareReactor.com





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More