1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. MyDoom.U

MyDoom.U

Name : MyDoom.U
Category:Malware
Type:Backdoor, Email-Worm
Platform:Win32

Summary

A new variant of MyDoom worm - Mydoom.U, was found on September 9th, 2004. This worm variant is similar to previous ones. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.

Disinfection

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Additional Details

The worm is a PE ( Portable Executable) file 18200 bytes long packed with UPX file compressor. The unpacked file's size is over 44 kilobytes.


Installation to system

When run, the worm creates a mutex 'qwedefacedRDE', copies itself as WINSPF32.EXE to Windows System Directory and creates a startup key for that file in System Registry:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinSPF" = "%WinSysDir%\winspf32.exe"

where %WinSysDir% represents Windows System directory.

Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as RX32HH00.EXE file.


Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

  • wab
  • xls
  • vbs
  • uin
  • txt
  • tbb
  • stm
  • sht
  • php
  • msg
  • mht
  • jsp
  • htm
  • eml
  • dht
  • dbx
  • cgi
  • cfg
  • asp

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

  • avp.
  • syman
  • icrosof
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • icrosoft
  • .gov
  • gov.
  • .mil
  • @foo.
  • @iana
  • spam
  • unix
  • linux
  • kasp
  • antivi
  • messagelabs
  • support
  • berkeley
  • unix
  • math
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • icq.com
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun
  • abuse
  • upport
  • www
  • root
  • info
  • samples
  • postmaster
  • rating
  • root
  • news
  • webmaster
  • noone
  • noreply
  • nobody
  • nothing
  • anyone
  • someone
  • rating
  • site
  • contact
  • support
  • somebody
  • privacy
  • service
  • help
  • submit
  • feste
  • gold-certs

The subject of infected e-mails is selected from the following variants:

  • hello
  • here
  • hi
  • Hi!
  • important
  • Information
  • my
  • News
  • Notice again
  • Private document
  • Re: Hello
  • Re: Hi
  • Re: Message
  • Re: Proof of concept
  • Re: Question
  • Re: Status
  • Re: Your document
  • read it immediately
  • Thank you!
  • thanks!
  • You win!

The body of infected e-mails is selected from the following variants:

  • Can you confirm it?
  • For further details see the attachment....
  • For more details see the attachment.
  • Monthly news report.
  • Please answer quickly!
  • Please confirm!
  • Please read the attached file!
  • Please read the document.
  • Please see the attached file for detail...
  • Thanks!
  • Waiting for a Response. Please read the...
  • Your archive is attached.
  • Your requested mail has been attached.
  • I have attached document.
  • Please confirm the document.
  • Please read the attached file.
  • Please read the important document.
  • See attached file for details.
  • See the file.
  • lol!
  • fun!
  • fun game!
  • game
  • apply patch.
  • apply this patch!
  • You are infected by virus. Run this exe...
  • Virus removal tool
  • Thanks!
  • relax
  • See the file.
  • New game
  • fun photos
  • screensaverlol!

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

  • document.doc .pif
  • doc.doc .pif
  • mesg.doc .pif
  • report.doc .pif
  • review.doc .pif
  • bill.doc .pif
  • doc.rtf .pif
  • mesg.rtf .pif
  • report.rtf .pif
  • review.rtf .pif
  • bill.rtf .pif
  • doc.txt .pif
  • mesg.txt .pif
  • report.txt .pif
  • review.txt .pif
  • bill.txt .pif
  • rep.txt .pif
  • Message.html .pif
  • document.zip
  • doc.zip
  • report.zip
  • new.zip
  • doc.zip
  • bill.zip
  • data.zip
  • details.zip
  • file.zip
  • info.zip
  • information.zip
  • letter.zip
  • message,.zip
  • file.exe
  • game.exe
  • photo.exe
  • pic.exe
  • new.exe
  • patch.exe
  • antivirus.exe
  • fun.scr
  • lol.scr

The worm can also attach a fake virus scan report to its message:

+++ Attachment: No Virus found +++

where the antivirus mentioned can be any of the following:

  • Norton AntiVirus - www.symantec.de
  • F-Secure AntiVirus - www.f-secure.com
  • Norman AntiVirus - www.norman.com
  • Panda AntiVirus - www.pandasoftware.com
  • Kaspersky AntiVirus - www.kaspersky.com
  • MC-Afee AntiVirus - www.mcafee.com
  • Bitdefender AntiVirus - www.bitdefender.com
  • MessageLabs AntiVirus - www.messagelabs.com

The worm fakes the sender's address and uses the following list of first names to compose the fake address:

  • James
  • John
  • Robert
  • Michael
  • William
  • David
  • Richard
  • Charles
  • Joseph
  • Thomas
  • Christopher
  • Daniel
  • Paul
  • Mark
  • Donald
  • George
  • Kenneth
  • Steven
  • Edward
  • Brian
  • Ronald
  • Anthony
  • Kevin
  • Jason
  • Matthew
  • Gary
  • Timothy
  • Jose
  • Larry
  • Jeffrey
  • Frank
  • Scott
  • Eric
  • Stephen
  • Andrew
  • Raymond
  • Gregory
  • Joshua
  • Jerry
  • Dennis
  • Walter
  • Patrick
  • Peter
  • Harold
  • Douglas
  • Henry
  • Carl
  • Ricky
  • Troy
  • Randall
  • Barry
  • Alexander
  • Bernard
  • Mario
  • Leroy
  • Francisco
  • Marcus
  • Micheal
  • Theodore
  • Clifford
  • Miguel
  • Oscar
  • Jay
  • Jim
  • Tom
  • Calvin
  • Alex
  • Jon
  • Ronnie
  • Bill
  • Lloyd
  • Tommy
  • Leon

It uses the following list of last names to compose the fake address:

  • Smith
  • Johnson
  • Williams
  • Jones
  • Brown
  • Davis
  • Miller
  • Wilson
  • Moore
  • Taylor
  • Anderson
  • Thomas
  • Jackson
  • White
  • Harris
  • Martin
  • Thompson
  • Garcia
  • Martinez
  • Robinson
  • Clark
  • Rodriguez
  • Lewis
  • Lee
  • Walker
  • Hall
  • Allen
  • Young
  • Hernandez
  • King
  • Wright
  • Lopez
  • Hill
  • Scott
  • Green
  • Adams
  • Baker
  • Gonzalez
  • Nelson
  • Carter
  • Mitchell
  • Perez
  • Roberts
  • Turner
  • Phillips
  • Campbell
  • Parker
  • Cruz
  • Marshall
  • Ortiz
  • Gomez
  • Murray
  • Freeman
  • Wells
  • Webb
  • Simpson
  • Stevens
  • Tucker
  • Porter

It uses the following list of domain names to compose the fake address:

  • @dailymail.co.uk
  • @mail.com
  • @aol.com
  • @hotmail.com
  • @gmx.net
  • @t-online.de
  • @yahoo.co.uk
  • @msn.com
  • yahoo.com
  • cox.net

Downloading a backdoor

The worm downloads a backdoor from one of the websites and activates it. The backdoor is known as 'Surila.I' or 'BackDoor-CEB.c' and is downloaded from the following websites:

  • www.planetboredom.net
  • vugs.geog.uu.nl
  • www.ach.ch
  • www.hiw.kuleuven.ac.be
  • www.surrenderzeeland.nl
  • www.llc.unibo.it

Limited lifecycle

After September 20th, 2004, 01:18:31 the worm stops working and deletes its file from the hard drive.