F-Secure Virus Descriptions : MyDoom.L
[Summary] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
A new variant of the MyDoom worm was found on July 19th, 2004
It is similar to previous variants. It spreads through email and
copies itself to folders used by FTP and P2P software.
The executable is packed with unmodified UPX.
When executed it will copy itself to:
%windir%\lsass.exe
Where %windir% is the main Windows folder.
And create the following registry key.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
or
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
and sets the value:
"Traybar" = %windir%\lsass.exe
Email Spreading
The emails sent by Mydoom.L will contain one of the following subjects:
say helo to my litl friend
click me baby, one more time
hello
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
It may also compose the subject randomly.
Message bodies are chosen from:
The original message was included as attachment
This Message was undeliverable due to the following reason:
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within [text filled by the worm] days:
Host $i is not responding.
The following recipients did not receive this message:
<[text filled by the worm]>
Please reply to postmaster@[text filled by the worm]
if you feel this message to be in error.
The original message was received at [text filled by the worm]
from [text filled by the worm]
----- The following addresses had permanent fatal errors -----
<[text filled by the worm]>
----- Transcript of session follows -----
while talking to [text filled by the worm].:
>>> MAIL From:[text filled by the worm]
<<< 501 [text filled by the worm]... Refused
The original message was received at $w
from [text filled by the worm]
----- The following addresses had permanent fatal errors -----
<[text filled by the worm]>
The attachment filename will be composed from combining the any of the
following filenames:
readme
transcript
mail
letter
file
text
attachment
document
message
and the following extensions:
.scr
.exe
.com
.pif
.bat
.cmd
It can also send ZIP files containing the worm. In that case the file inside
the ZIP may have a filename resembling an email address or an extension
followed by a large number of whitespaces finished with an executable
extension.
Other spreading techniques
The worm will look for folder with the following text strings on them:
incoming
ftproot
download
shar
If any of them are found, it will copy itself inside those folders with names
composed from:
index
Kazaa Lite
Harry Potter
ICQ 4 Lite
WinRAR.v.3.2.and.key
Winamp 5.0 (en) Crack
Winamp 5.0 (en)
And followed by:
.scr
.com
.exe
.ShareReactor.com
F-Secure Anti-Virus detects Mydoom.L worm since the following
update:
[FSAV_Database_Version]
Version=2004-07-19_02
Description:
Ero Carrera, July 20th, 2004;
F-Secure Corporation
|
