1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




MyDoom.W

Name : MyDoom.W
Category:Malware
Type:Backdoor, Email-Worm
Platform:Win32

Summary

This is yet another new variant of MyDoom worm - Mydoom.W, was found on September 9th, 2004. This worm variant is very similar to previous variants: Mydoom.U and Mydoom.V. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.

Additional Details

The worm is a PE (Portable Executable) executable file 18432 bytes long packed with UPX file compressor. The unpacked file's size is over 44 kilobytes.

Installation to system

When run, the worm creates a mutex 'DDDDefaceDDDD', copies itself as WINDRV32.EXE to Windows System Directory and creates a startup key for that file in System Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinSPF" = "%WinSysDir%\windrv32.exe"

where %WinSysDir% represents Windows System directory.

Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as AUTOSTART.EXE file.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book (WAB) and in the files with the following extensions:

  •  wab
  •  xls
  •  vbs
  •  uin
  •  txt
  •  tbb
  •  stm
  •  sht
  •  php
  •  msg
  •  mht
  •  jsp
  •  htm
  •  eml
  •  dht
  •  dbx
  •  cgi
  •  cfg
  •  asp
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

  •  avp.
  •  syman
  •  icrosof
  •  panda
  •  sopho
  •  borlan
  •  inpris
  •  example
  •  mydomai
  •  nodomai
  •  ruslis
  •  icrosoft
  •  .gov
  •  gov.
  •  .mil
  •  @foo.
  •  @iana
  •  spam
  •  unix
  •  linux
  •  kasp
  •  antivi
  •  messagelabs
  •  support
  •  berkeley
  •  unix
  •  math
  •  mit.e
  •  gnu
  •  fsf.
  •  ibm.com
  •  google
  •  kernel
  •  linux
  •  fido
  •  usenet
  •  iana
  •  ietf
  •  rfc-ed
  •  sendmail
  •  arin.
  •  ripe.
  •  isi.e
  •  isc.o
  •  secur
  •  acketst
  •  pgp
  •  tanford.e
  •  utgers.ed
  •  mozilla
  •  icq.com
  •  admin
  •  icrosoft
  •  support
  •  ntivi
  •  unix
  •  bsd
  •  linux
  •  listserv
  •  certific
  •  google
  •  accoun
  •  abuse
  •  upport
  •  www
  •  root
  •  info
  •  samples
  •  postmaster
  •  rating
  •  root
  •  news
  •  webmaster
  •  noone
  •  noreply
  •  nobody
  •  nothing
  •  anyone
  •  someone
  •  rating
  •  site
  •  contact
  •  support
  •  somebody
  •  privacy
  •  service
  •  help
  •  submit
  •  feste
  •  gold-certs
The subject of infected e-mails is selected from the following variants:

  •  hello
  •  here
  •  hi
  •  Hi!
  •  important
  •  Information
  •  my
  •  News
  •  Notice again
  •  Private document
  •  Re: Hello
  •  Re: Hi
  •  Re: Message
  •  Re: Proof of concept
  •  Re: Question
  •  Re: Status
  •  Re: Your document
  •  read it immediately
  •  Thank you!
  •  thanks!
  •  You win!
The body of infected e-mails is selected from the following variants:

  •  Can you confirm it?
  •  For further details see the attachment....
  •  For more details see the attachment.
  •  Monthly news report.
  •  Please answer quickly!
  •  Please confirm!
  •  Please read the attached file!
  •  Please read the document.
  •  Please see the attached file for detail...
  •  Thanks!
  •  Waiting for a Response. Please read the...
  •  Your archive is attached.
  •  Your requested mail has been attached.
  •  I have attached document.
  •  Please confirm the document.
  •  Please read the attached file.
  •  Please read the important document.
  •  See attached file for details.
  •  See the file.
  •  lol!
  •  fun!
  •  fun game!
  •  game
  •  apply patch.
  •  apply this patch!
  •  You are infected by virus. Run this exe...
  •  Virus removal tool
  •  Thanks!
  •  relax
  •  See the file.
  •  New game
  •  fun photos
  •  screensaverlol!

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

  •  document.doc .pif
  •  doc.doc .pif
  •  mesg.doc .pif
  •  report.doc .pif
  •  review.doc .pif
  •  bill.doc .pif
  •  doc.rtf .pif
  •  mesg.rtf .pif
  •  report.rtf .pif
  •  review.rtf .pif
  •  bill.rtf .pif
  •  doc.txt .pif
  •  mesg.txt .pif
  •  report.txt .pif
  •  review.txt .pif
  •  bill.txt .pif
  •  rep.txt .pif
  •  Message.html .pif
  •  document.zip
  •  doc.zip
  •  report.zip
  •  new.zip
  •  doc.zip
  •  bill.zip
  •  data.zip
  •  details.zip
  •  file.zip
  •  info.zip
  •  information.zip
  •  letter.zip
  •  message,.zip
  •  file.exe
  •  game.exe
  •  photo.exe
  •  pic.exe
  •  new.exe
  •  patch.exe
  •  antivirus.exe
  •  fun.scr
  •  lol.scr

The worm can also attach a fake virus scan report to its message:

+++ Attachment: No Virus found +++

where can be any of the following:

Norton AntiVirus - www.symantec.de
F-Secure AntiVirus - www.f-secure.com
Norman AntiVirus - www.norman.com
Panda AntiVirus - www.pandasoftware.com
Kaspersky AntiVirus - www.kaspersky.com
MC-Afee AntiVirus - www.mcafee.com
Bitdefender AntiVirus - www.bitdefender.com
MessageLabs AntiVirus - www.messagelabs.com


The worm fakes the sender's address. It uses the following list of first names to compose the fake address:

  •  James
  •  John
  •  Robert
  •  Michael
  •  William
  •  David
  •  Richard
  •  Charles
  •  Joseph
  •  Thomas
  •  Christopher
  •  Daniel
  •  Paul
  •  Mark
  •  Donald
  •  George
  •  Kenneth
  •  Steven
  •  Edward
  •  Brian
  •  Ronald
  •  Anthony
  •  Kevin
  •  Jason
  •  Matthew
  •  Gary
  •  Timothy
  •  Jose
  •  Larry
  •  Jeffrey
  •  Frank
  •  Scott
  •  Eric
  •  Stephen
  •  Andrew
  •  Raymond
  •  Gregory
  •  Joshua
  •  Jerry
  •  Dennis
  •  Walter
  •  Patrick
  •  Peter
  •  Harold
  •  Douglas
  •  Henry
  •  Carl
  •  Ricky
  •  Troy
  •  Randall
  •  Barry
  •  Alexander
  •  Bernard
  •  Mario
  •  Leroy
  •  Francisco
  •  Marcus
  •  Micheal
  •  Theodore
  •  Clifford
  •  Miguel
  •  Oscar
  •  Jay
  •  Jim
  •  Tom
  •  Calvin
  •  Alex
  •  Jon
  •  Ronnie
  •  Bill
  •  Lloyd
  •  Tommy
  •  Leon

It uses the following list of last names to compose the fake address:

  •  Smith
  •  Johnson
  •  Williams
  •  Jones
  •  Brown
  •  Davis
  •  Miller
  •  Wilson
  •  Moore
  •  Taylor
  •  Anderson
  •  Thomas
  •  Jackson
  •  White
  •  Harris
  •  Martin
  •  Thompson
  •  Garcia
  •  Martinez
  •  Robinson
  •  Clark
  •  Rodriguez
  •  Lewis
  •  Lee
  •  Walker
  •  Hall
  •  Allen
  •  Young
  •  Hernandez
  •  King
  •  Wright
  •  Lopez
  •  Hill
  •  Scott
  •  Green
  •  Adams
  •  Baker
  •  Gonzalez
  •  Nelson
  •  Carter
  •  Mitchell
  •  Perez
  •  Roberts
  •  Turner
  •  Phillips
  •  Campbell
  •  Parker
  •  Cruz
  •  Marshall
  •  Ortiz
  •  Gomez
  •  Murray
  •  Freeman
  •  Wells
  •  Webb
  •  Simpson
  •  Stevens
  •  Tucker
  •  Porter
It uses the following list of domain names to compose the fake address:

  •  @dailymail.co.uk
  •  @mail.com
  •  @aol.com
  •  @hotmail.com
  •  @gmx.net
  •  @t-online.de
  •  @yahoo.co.uk
  •  @msn.com
  •  yahoo.com
  •  cox.net
Downloading a backdoor

The worm downloads a backdoor from one of websites and activates it. The backdoor is known as 'Surila.I' or 'BackDoor-CEB.c' and is downloaded from the following websites:

  •  www.planetboredom.net
  •  vugs.geog.uu.nl
  •  www.ach.ch
  •  www.hiw.kuleuven.ac.be
  • www.surrenderzeeland.nl
  •  www.llc.unibo.it
Limited lifecycle

After September 20th, 2004, 01:18:31 the worm stops working and deletes its file from a hard drive.