F-Secure Virus Descriptions : MyDoom.S
[Summary] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER F-SECURE RADAR.
Radar Alert LEVEL 2
|
| NAME: | MyDoom.S |
| ALIAS: | W32/Mydoom.S@MM, I-Worm.Mydoom.q, W32.Mydoom.Q@mm, WORM_RATOS.A |
| SIZE: | 27136 |
A new variant of MyDoom worm - Mydoom.S, was found on
August 16th, 2004. The worm spreads like its previous variants.
The worm's file is a PE executable 27136 bytes long packed with
UPX file compressor. The unpacked worm's size is about 53 KiB.
System Infection
The worm will attempt to download an executable from four different URLs
stored within its body, such URLs point to two different sites
(www.richcolour.com and zenandjuice.com). These sites were shut down
by 18th of August, 2004.
Mydoom copies itself as "winpsd.exe" file to Windows System directory and
creates a startup key for the copied file in Windows Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"winpsd.exe" = "%WinSysDir%\winlibs.exe"
where %WinSysDir% represents Windows System folder. As a result, the worm's
file is started every time Windows starts.
The worm creates a mutex named '43jfds93872'.
Spreading in E-mails
The email-spreading function will expire on August 20th, 2004. After
this the worm should not send emails any more.
The worm spreads in e-mails. Before spreading it collects e-mail
addresses from an infected computer. The worm reads Windows
Address Book file, reads files in Temporary Internet Files
folders and Windows System folder. Files with the following
extensions are checked:
txt
htm
sht
php
asp
dbx
tbb
adb
pl
wab
The worm doesn't send itself to e-mail addresses that contain any
of the following substrings:
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
bugs
rating
site
contact
soft
somebody
privacy
service
help
not
submit
feste
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
abuse
upport
www
spm
spam
www
secur
The worm spreads in emails as follows:
Subject:
photos
Body:
LOL!;))))
Attachment:
photos_arc.exe
The worm fakes the sender's e-mail address. It uses the following
user names for the fake e-mail address:
john
alex
michael
james
mike
kevin
david
george
sam
andrew
jose
leo
maria
jim
brian
serg
mary
ray
tom
peter
robert
bob
jane
joe
dan
dave
matt
steve
smith
stan
bill
bob
jack
fred
ted
adam
brent
alice
anna
brenda
claudia
debby
helen
jerry
jimmy
julie
linda
sandra
Payload
The worm alters the infected computer's hosts file in order to prevent the local
user and applications from reaching the Anti-Virus vendors' websites, including
f-secure.com and www.f-secure.com.
Detection for MyDoom.S worm is available in the following FSAV
update:
[FSAV_Database_Version]
Version=2004-08-16_02
Description:
Ero Carrera, August 16th, 2004;
F-Secure Corporation
|