Threat Description

MyDoom.S

Details

Aliases:MyDoom.S, W32/Mydoom.S@MM, I-Worm.Mydoom.q, W32.Mydoom.Q@mm, WORM_RATOS.A
Category:Malware
Type:Email-Worm
Platform:W32

Summary



A new variant of MyDoom worm - Mydoom.S, was found on August 16th, 2004. The worm spreads like its previous variants.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



The worm's file is a PE executable 27136 bytes long packed with UPX file compressor. The unpacked worm's size is about 53 KiB.

System Infection

The worm will attempt to download an executable from four different URLs stored within its body, such URLs point to two different sites (www.richcolour.com and zenandjuice.com). These sites were shut down by 18th of August, 2004.

Mydoom copies itself as "winpsd.exe" file to Windows System directory and creates a startup key for the copied file in Windows Registry:

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "winpsd.exe" = "%WinSysDir%\winlibs.exe"

where %WinSysDir% represents Windows System folder. As a result, the worm's file is started every time Windows starts.

The worm creates a mutex named '43jfds93872'.

Spreading in e-mails

The email-spreading function will expire on August 20th, 2004. After this the worm should not send emails any more.

The worm spreads in e-mails. Before spreading it collects e-mail addresses from an infected computer. The worm reads Windows Address Book file, reads files in Temporary Internet Files folders and Windows System folder. Files with the following extensions are checked:

  • txt
  • htm
  • sht
  • php
  • asp
  • dbx
  • tbb
  • adb
  • pl
  • wab

The worm doesn't send itself to e-mail addresses that contain any of the following substrings:

  • avp
  • syma
  • icrosof
  • msn.
  • hotmail
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • .gov
  • gov.
  • .mil
  • foo.
  • berkeley
  • unix
  • math
  • bsd
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • root
  • info
  • samples
  • postmaster
  • webmaster
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • bugs
  • rating
  • site
  • contact
  • soft
  • somebody
  • privacy
  • service
  • help
  • not
  • submit
  • feste
  • gold-certs
  • the.bat
  • page
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun
  • abuse
  • upport
  • www
  • spm
  • spam
  • www
  • secur

The worm spreads in emails as follows:

  • Subject: photos
  • Body: LOL!;))))
  • Attachment: photos_arc.exe

The worm fakes the sender's e-mail address. It uses the following user names for the fake e-mail address:

  • john
  • alex
  • michael
  • james
  • mike
  • kevin
  • david
  • george
  • sam
  • andrew
  • jose
  • leo
  • maria
  • jim
  • brian
  • serg
  • mary
  • ray
  • tom
  • peter
  • robert
  • bob
  • jane
  • joe
  • dan
  • dave
  • matt
  • steve
  • smith
  • stan
  • bill
  • bob
  • jack
  • fred
  • ted
  • adam
  • brent
  • alice
  • anna
  • brenda
  • claudia
  • debby
  • helen
  • jerry
  • jimmy
  • julie
  • linda
  • sandra

Payload

The worm alters the infected computer's hosts file in order to prevent the local user and applications from reaching the Anti-Virus vendors' websites, including f-secure.com and www.f-secure.com.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More