F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : MyDoom.Q

[Summary] | [Detailed Description] | [Detection]



NAME:MyDoom.Q
ALIAS:I-Worm.Mydoom.O, W32/Mydoom.Q@MM, Evaman.C
ALIAS:W32/MyDoom-Q, WORM_MYDOOM.O
SIZE:21504

Summary

A new UPX packed variant of MyDoom worm - Mydoom.Q, was found on August 3rd, 2004. The worm spreads like its previous variants and it also uses Yahoo People Search to search for more victims' e-mail addresses.

Detailed Description

The worm's file is a PE executable 21504 bytes long packed with UPX file compressor. The unpacked worm's size is about 62 kilobytes.

System Infection

After the worm's file is run, it opens Notepad application. Then the worm copies itself as WINLIBS.EXE file to Windows System directory and creates a startup key for the copied file in Windows Registry: 

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "winlibs.exe" = "%WinSysDir%\winlibs.exe"

where %WinSysDir% represents Windows System folder. As a result, the worm's file is started every time Windows starts.

Additionally the worm creates the following Registry key: 

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\winlibs]

The worm creates a mutex named 'NorthernLightMixed'.

Spreading in E-mails

The worm spreads in e-mails. Before spreading it collects e-mail addresses from an infected computer. The worm reads Windows Address Book file, reads files in Temporary Internet Files folders and Windows System folder. Files with the following extensions are checked: 

 txt
 dhtm
 msg
 htm
 xml
 eml
 html
 sht
 shtm
 shtml
 jse
 jsp
 js
 php
 cfg
 asp
 ods
 mmf
 dbx
 tbb
 adb
 pl
 wab

Additionally the worm can connect to 'email.people.yahoo.com' server and tries to search for victims' e-mail addresses there.

The worm doesn't send itself to e-mail addresses that contain any of the following substrings: 

 .edu
 Bug
 ugs
 bug
 upport
 ICROSOFT
 icrosoft
 oot
 dmin
 ymant
 avp
 ecur
 @MM
 ebmast
 help
 opho
 inpris
 omain
 senet
 panda
 32.
 @mm
 msn
 inux
 umit
 nfo
 irus
 buse
 orton
 cafee
 spam
 Spam
 SPAM
 ntivi
 eport
 user
 inzip
 inrar
 rend
 pdate
 USER
 ating
 ample
 ists
 persk
 ccoun
 ompu
 msdn
 YOU
 you
 oogle
 arsoft
 otmail
 sarc
 soft
 ware
 .gov
 .mil
 cribe
 list
 eturn
 omment
 Sale
 sale
 CRIBE
 gmail
 ruslis
 ibm
 win
 !

The worm spreads in e-mails with different subject and body texts and with different attachment names. The subject line is selected from the following variants: 

 SN: New secure mail
 Secure delivery
 failed transaction
 Re: hello (Secure-Mail)
 Re: Extended Mail
 Delivery Status (Secure)
 Re: Server Reply
 SN: Server Status

The message body can contain user name, domain name and the following text strings: 

 Automatically Secure Delivery: for


 Mail Delivery Server System: for


 Extended secure mail message available at:


 Secure Mail Server Notification: for


 New mail secure method implement: for


 New policy requested by mail server to returned mail
 as a secure compiled attachment (Zip).


 Now a new message is available as secure Zip file format.
 Due to new policies on clients.


 This message is available as a secure Zip file format
 due to a new security policy.


 For security measures this message has been packed as Zip format.
 This is a newly added security feature.


 New policy recommends to enclose all messages as Zip format.
 Your message is available in this server notice.


 You have received a message that implements secure delivery technology.
 Message available as a secure Zip file.


 This message is an automatically server notice
 from Administration at


 Server Notice: New security feature added. MSG:ID: 455sec86
 from


 New feature added for security reasons
 from


 Automatically server notice:,
 Server reply from


 New service policy for security added from

The attachment name is selected from the following variants: 

 mail
 message
 attachment
 transcript
 text
 document
 file
 readme

The attachment extension is selected from these variants: 

 .exe
 -txt.exe
 -htm.exe
 -txt.scr

Also the worm can send itself inside a ZIP archive.

The worm fakes the sender's e-mail address. It uses the following user names for the fake e-mail address: 

 mike@
 jennifer@
 david@
 linda@
 susan@
 nancy@
 pamela@
 eric@
 kevin@
 mary@
 jessica@
 patricia@
 barbara@
 karen@
 sarah@
 robert@
 john@
 daniel@
 jason@
 joe@

Payload

In the very beginning of its execution the worm creates a thread that enumerates processes and terminates the ones that have the following substrings in their names: 

 uba
 mc
 Mc
 av
 AV
 cc
 Sym
 nv
 can
 scn
 java
 xp.exe
 ecur
 nti
 erve
 sss
 iru
 ort
 SkyNet
 KV


Back to the Top


Detection

Detection for MyDoom.Q worm is available in the following FSAV update:

[FSAV_Database_Version]

Version=2004-08-03_03

Back to the Top


Description: Katrin Tocheva, August 3rd, 2004;

Technical Details: Alexey Podrezov, August 3rd, 2004;

F-Secure Corporation