F-Secure Virus Descriptions : MyDoom.Q
[Summary] | [Detailed Description] | [Detection]
|
|
|
A new UPX packed variant of MyDoom worm - Mydoom.Q, was found on
August 3rd, 2004. The worm spreads like its previous variants and
it also uses Yahoo People Search to search for more victims'
e-mail addresses.
The worm's file is a PE executable 21504 bytes long packed with
UPX file compressor. The unpacked worm's size is about 62
kilobytes.
System Infection
After the worm's file is run, it opens Notepad application. Then
the worm copies itself as WINLIBS.EXE file to Windows System
directory and creates a startup key for the copied file in
Windows Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"winlibs.exe" = "%WinSysDir%\winlibs.exe"
where %WinSysDir% represents Windows System folder. As a result,
the worm's file is started every time Windows starts.
Additionally the worm creates the following Registry key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\winlibs]
The worm creates a mutex named 'NorthernLightMixed'.
Spreading in E-mails
The worm spreads in e-mails. Before spreading it collects e-mail
addresses from an infected computer. The worm reads Windows
Address Book file, reads files in Temporary Internet Files
folders and Windows System folder. Files with the following
extensions are checked:
txt
dhtm
msg
htm
xml
eml
html
sht
shtm
shtml
jse
jsp
js
php
cfg
asp
ods
mmf
dbx
tbb
adb
pl
wab
Additionally the worm can connect to 'email.people.yahoo.com'
server and tries to search for victims' e-mail addresses there.
The worm doesn't send itself to e-mail addresses that contain any
of the following substrings:
.edu
Bug
ugs
bug
upport
ICROSOFT
icrosoft
oot
dmin
ymant
avp
ecur
@MM
ebmast
help
opho
inpris
omain
senet
panda
32.
@mm
msn
inux
umit
nfo
irus
buse
orton
cafee
spam
Spam
SPAM
ntivi
eport
user
inzip
inrar
rend
pdate
USER
ating
ample
ists
persk
ccoun
ompu
msdn
YOU
you
oogle
arsoft
otmail
sarc
soft
ware
.gov
.mil
cribe
list
eturn
omment
Sale
sale
CRIBE
gmail
ruslis
ibm
win
!
The worm spreads in e-mails with different subject and body texts
and with different attachment names. The subject line is selected
from the following variants:
SN: New secure mail
Secure delivery
failed transaction
Re: hello (Secure-Mail)
Re: Extended Mail
Delivery Status (Secure)
Re: Server Reply
SN: Server Status
The message body can contain user name, domain name and the
following text strings:
Automatically Secure Delivery: for
Mail Delivery Server System: for
Extended secure mail message available at:
Secure Mail Server Notification: for
New mail secure method implement: for
New policy requested by mail server to returned mail
as a secure compiled attachment (Zip).
Now a new message is available as secure Zip file format.
Due to new policies on clients.
This message is available as a secure Zip file format
due to a new security policy.
For security measures this message has been packed as Zip format.
This is a newly added security feature.
New policy recommends to enclose all messages as Zip format.
Your message is available in this server notice.
You have received a message that implements secure delivery technology.
Message available as a secure Zip file.
This message is an automatically server notice
from Administration at
Server Notice: New security feature added. MSG:ID: 455sec86
from
New feature added for security reasons
from
Automatically server notice:,
Server reply from
New service policy for security added from
The attachment name is selected from the following variants:
mail
message
attachment
transcript
text
document
file
readme
The attachment extension is selected from these variants:
.exe
-txt.exe
-htm.exe
-txt.scr
Also the worm can send itself inside a ZIP archive.
The worm fakes the sender's e-mail address. It uses the following
user names for the fake e-mail address:
mike@
jennifer@
david@
linda@
susan@
nancy@
pamela@
eric@
kevin@
mary@
jessica@
patricia@
barbara@
karen@
sarah@
robert@
john@
daniel@
jason@
joe@
Payload
In the very beginning of its execution the worm creates a thread
that enumerates processes and terminates the ones that have the
following substrings in their names:
uba
mc
Mc
av
AV
cc
Sym
nv
can
scn
java
xp.exe
ecur
nti
erve
sss
iru
ort
SkyNet
KV
Detection for MyDoom.Q worm is available in the following FSAV
update:
[FSAV_Database_Version]
Version=2004-08-03_03
Description:
Katrin Tocheva, August 3rd, 2004;
Technical Details:
Alexey Podrezov, August 3rd, 2004;
F-Secure Corporation
|