This is yet another new variant of MyDoom worm - Mydoom.W, was found on September 9th, 2004. This worm variant is very similar to previous variants: Mydoom.U and Mydoom.V. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.
The worm is a PE (Portable Executable) executable file 18432 bytes long packed with UPX file compressor. The unpacked file's size is over 44 kilobytes.
Installation to system
When run, the worm creates a mutex 'DDDDefaceDDDD', copies itself as WINDRV32.EXE to Windows System Directory and creates a startup key for that file in System Registry:
where %WinSysDir% represents Windows System directory.
Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as AUTOSTART.EXE file.
Spreading in e-mails
The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book (WAB) and in the files with the following extensions:
wab
xls
vbs
uin
txt
tbb
stm
sht
php
msg
mht
jsp
htm
eml
dht
dbx
cgi
cfg
asp
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
avp.
syman
icrosof
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
icrosoft
.gov
gov.
.mil
@foo.
@iana
spam
unix
linux
kasp
antivi
messagelabs
support
berkeley
unix
math
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
icq.com
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
abuse
upport
www
root
info
samples
postmaster
rating
root
news
webmaster
noone
noreply
nobody
nothing
anyone
someone
rating
site
contact
support
somebody
privacy
service
help
submit
feste
gold-certs
The subject of infected e-mails is selected from the following variants:
hello
here
hi
Hi!
important
Information
my
News
Notice again
Private document
Re: Hello
Re: Hi
Re: Message
Re: Proof of concept
Re: Question
Re: Status
Re: Your document
read it immediately
Thank you!
thanks!
You win!
The body of infected e-mails is selected from the following variants:
Can you confirm it?
For further details see the attachment....
For more details see the attachment.
Monthly news report.
Please answer quickly!
Please confirm!
Please read the attached file!
Please read the document.
Please see the attached file for detail...
Thanks!
Waiting for a Response. Please read the...
Your archive is attached.
Your requested mail has been attached.
I have attached document.
Please confirm the document.
Please read the attached file.
Please read the important document.
See attached file for details.
See the file.
lol!
fun!
fun game!
game
apply patch.
apply this patch!
You are infected by virus. Run this exe...
Virus removal tool
Thanks!
relax
See the file.
New game
fun photos
screensaverlol!
The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:
document.doc .pif
doc.doc .pif
mesg.doc .pif
report.doc .pif
review.doc .pif
bill.doc .pif
doc.rtf .pif
mesg.rtf .pif
report.rtf .pif
review.rtf .pif
bill.rtf .pif
doc.txt .pif
mesg.txt .pif
report.txt .pif
review.txt .pif
bill.txt .pif
rep.txt .pif
Message.html .pif
document.zip
doc.zip
report.zip
new.zip
doc.zip
bill.zip
data.zip
details.zip
file.zip
info.zip
information.zip
letter.zip
message,.zip
file.exe
game.exe
photo.exe
pic.exe
new.exe
patch.exe
antivirus.exe
fun.scr
lol.scr
The worm can also attach a fake virus scan report to its message:
The worm fakes the sender's address. It uses the following list of first names to compose the fake address:
James
John
Robert
Michael
William
David
Richard
Charles
Joseph
Thomas
Christopher
Daniel
Paul
Mark
Donald
George
Kenneth
Steven
Edward
Brian
Ronald
Anthony
Kevin
Jason
Matthew
Gary
Timothy
Jose
Larry
Jeffrey
Frank
Scott
Eric
Stephen
Andrew
Raymond
Gregory
Joshua
Jerry
Dennis
Walter
Patrick
Peter
Harold
Douglas
Henry
Carl
Ricky
Troy
Randall
Barry
Alexander
Bernard
Mario
Leroy
Francisco
Marcus
Micheal
Theodore
Clifford
Miguel
Oscar
Jay
Jim
Tom
Calvin
Alex
Jon
Ronnie
Bill
Lloyd
Tommy
Leon
It uses the following list of last names to compose the fake address:
Smith
Johnson
Williams
Jones
Brown
Davis
Miller
Wilson
Moore
Taylor
Anderson
Thomas
Jackson
White
Harris
Martin
Thompson
Garcia
Martinez
Robinson
Clark
Rodriguez
Lewis
Lee
Walker
Hall
Allen
Young
Hernandez
King
Wright
Lopez
Hill
Scott
Green
Adams
Baker
Gonzalez
Nelson
Carter
Mitchell
Perez
Roberts
Turner
Phillips
Campbell
Parker
Cruz
Marshall
Ortiz
Gomez
Murray
Freeman
Wells
Webb
Simpson
Stevens
Tucker
Porter
It uses the following list of domain names to compose the fake address:
@dailymail.co.uk
@mail.com
@aol.com
@hotmail.com
@gmx.net
@t-online.de
@yahoo.co.uk
@msn.com
yahoo.com
cox.net
Downloading a backdoor
The worm downloads a backdoor from one of websites and activates it. The backdoor is known as 'Surila.I' or 'BackDoor-CEB.c' and is downloaded from the following websites:
www.planetboredom.net
vugs.geog.uu.nl
www.ach.ch
www.hiw.kuleuven.ac.be
www.surrenderzeeland.nl
www.llc.unibo.it
Limited lifecycle
After September 20th, 2004, 01:18:31 the worm stops working and deletes its file from a hard drive.
