Threat Descriptions

Email-Worm:W32/MyDoom.X

Classification

Category :

Malware

Type :

Email-Worm

Platform :

W32

Aliases :

MyDoom.X

Summary

A new variant of MyDoom worm - Mydoom.X, was found on September 10th, 2004. This worm variant is similar to the previous variants: Mydoom.U-W. It spreads in emails with different subject and body texts, downloads and activates a backdoor.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm is a PE executable file 18432 bytes long packed with UPX file compressor. The unpacked file's size is over 44 kilobytes.

Installation to system

When run, the worm creates a mutex 'LLLf54fxrDLLL', copies itself as WIN32S.EXE to Windows System Directory and creates a startup key for that file in System Registry:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Win32System" = "%WinSysDir%\win32s.exe"

where "%WinSysDir%" represents Windows System directory.

Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as AUTORUN.EXE file.

Spreading in emails

The worm spreads by sending its infected attachment to all email addresses found on an infected computer. The worm looks for email addresses in Windows Address Book (WAB) and in the files with the following extensions:

  • wab
  • xls
  • uin
  • txt
  • tbb
  • stm
  • sht
  • php
  • msg
  • mht
  • mbx
  • jsp
  • htm
  • eml
  • dht
  • dbx
  • cgi
  • cfg
  • asp

The worm avoids sending emails to email addresses that contain any of the following substrings:

  • avp.
  • syman
  • icrosof
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • icrosoft
  • .gov
  • gov.
  • .mil
  • @foo.
  • @iana
  • spam
  • unix
  • linux
  • kasp
  • antivi
  • messagelabs
  • support
  • berkeley
  • unix
  • math
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • icq.com
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun
  • abuse
  • upport
  • www
  • root
  • info
  • samples
  • postmaster
  • rating
  • root
  • news
  • webmaster
  • noone
  • noreply
  • nobody
  • nothing
  • anyone
  • someone
  • rating
  • site
  • contact
  • support
  • somebody
  • privacy
  • service
  • help
  • submit
  • feste
  • gold-certs

The subject of infected emails is selected from the following variants:

  • FW: remember me?..
  • FW: hi
  • FW: hello sweety :>
  • FW: my photos
  • FW: that's me :-D
  • FW: (no subject)
  • FW: it's me
  • FW: hi, it's me
  • FW: 2 new photos
  • FW: new photos
  • FW: jenna's photos :)

The body text of infected emails is selected from the following variants: 

 -----Original Message-----
From: Jeny K. Sent: Tuesday, September 7, 2004 8:57 PM
To: Morpheus
check my new photos
:))
miss you, jeny k
 -----Original Message-----
From: Jena K. Sent: Tuesday, September 7, 2004 5:23 AM
To: friends
Check Out Archive.. So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key
 -----Original Message-----
From: jenny k. Sent: Tuesday, September 7, 2004 10:23 AM
To: My Tiger (email)
new fotos(archived) you asked
jenny k
 -----Original Message-----
From: jenna k. (email)
Sent: Tuesday, September 7, 2004 11:38 AM
To: Cat
my new fotos archived ))
kiss, jenna k
 -----Original Message-----
From: Jeny
Sent: Tuesday, September 7, 2004 8:57 PM
To: Neo
see the photos in attached archive
:))
kiss you, jeny
 -----Original Message-----
From: Jena
Sent: Tuesday, September 7, 2004 5:23 AM
To: friend
Photos in archive.. So.. Am I Hot? :)
Waining For Your Answer
Jena
 -----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
To: Friends Group
in self-extracting archive my photos
Jenna :)
 -----Original Message-----
From: jenna (email)
Sent: Tuesday, September 7, 2004 11:38 AM
To: ma kittie
my photos archived ))
kiss, jenna
 -----Original Message-----
From: Jeny K. Sent: Tuesday, September 7, 2004 8:57 PM
To: Morpheus
check out the new photos
:))
miss you, jeny k
 -----Original Message-----
From: Jena K. Sent: Tuesday, September 7, 2004 5:23 AM
To: friends
So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key
 -----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
in archive my new fotos
Jenna K :)
 -----Original Message-----
From: jenny k. Sent: Tuesday, September 7, 2004 10:23 AM
To: My Tiger (email)
new fotos you asked
jenny k
 -----Original Message-----
From: jenna k. (email)
Sent: Tuesday, September 7, 2004 11:38 AM
To: Cat
my new fotos zipped ))
kiss, jenna k
 -----Original Message-----
From: Jeny
Sent: Tuesday, September 7, 2004 8:57 PM
To: Neo
see the photos
:))
kiss you, jeny
 -----Original Message-----
From: Jena
Sent: Tuesday, September 7, 2004 5:23 AM
To: friend
So.. Am I Hot? :)
Waining For Your Answer
Jena
 -----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
To: Friends Group
in archive my photos
Jenna :)
 -----Original Message-----
From: jenny
Sent: Tuesday, September 7, 2004 10:23 AM
To: Mr.X (email)
photos you asked
jenny
 -----Original Message-----
From: jenna (email)
Sent: Tuesday, September 7, 2004 11:38 AM
To: ma kittie
my photos zipped ))
kiss, jenna

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

  • myfoto.exe.safe
  • myfoto.exe
  • photos.selfextracting.exe.safe
  • photoarchive.exe
  • photofile.exe.safe
  • arc.exe.safe
  • my_foto.exe
  • fotos.exe
  • foto.exe
  • photos.exe.safe
  • photo_se.exe
  • new_photos.exe
  • newphotos.exe
  • myphotos_arc.exe
  • my_photos.exe
  • photos_arc.exe
  • new_photos.zip
  • images.zip
  • fotos.zip
  • my_photos.zip
  • myphotos.zip
  • photos.zip
  • me_01.jpg .pif
  • 2004042301.jpg .pif
  • with_flowers.jpg .pif
  • sunny.jpg .pif
  • photo08.jpg .pif
  • nude_.jpg .pif
  • marie_dancing.jpg .pif
  • julia038.jpg .pif

Also the worm can attach a fake virus scan report to its message:

  • +++ Attachment: No Virus found +++

where it can be any of the following:

  • Norton AntiVirus - www.symantec.de
  • F-Secure AntiVirus - www.f-secure.com
  • Norman AntiVirus - www.norman.com
  • Panda AntiVirus - www.pandasoftware.com
  • Kaspersky AntiVirus - www.kaspersky.com
  • MC-Afee AntiVirus - www.mcafee.com
  • Bitdefender AntiVirus - www.bitdefender.com
  • MessageLabs AntiVirus - www.messagelabs.com

The worm fakes the sender's address. It uses the following list of first names to compose the fake address:

  • James
  • John
  • Robert
  • Michael
  • William
  • David
  • Richard
  • Charles
  • Joseph
  • Thomas
  • Christopher
  • Daniel
  • Paul
  • Mark
  • Donald
  • George
  • Kenneth
  • Steven
  • Edward
  • Brian
  • Ronald
  • Anthony
  • Kevin
  • Jason
  • Matthew
  • Gary
  • Timothy
  • Jose
  • Larry
  • Jeffrey
  • Frank
  • Scott
  • Eric
  • Stephen
  • Andrew
  • Raymond
  • Gregory
  • Joshua
  • Jerry
  • Dennis
  • Walter
  • Patrick
  • Peter
  • Harold
  • Douglas
  • Henry
  • Carl
  • Ricky
  • Troy
  • Randall
  • Barry
  • Alexander
  • Bernard
  • Mario
  • Leroy
  • Francisco
  • Marcus
  • Micheal
  • Theodore
  • Clifford
  • Miguel
  • Oscar
  • Jay
  • Jim
  • Tom
  • Calvin
  • Alex
  • Jon
  • Ronnie
  • Bill
  • Lloyd
  • Tommy
  • Leon

It uses the following list of last names to compose the fake address:

  • Smith
  • Johnson
  • Williams
  • Jones
  • Brown
  • Davis
  • Miller
  • Wilson
  • Moore
  • Taylor
  • Anderson
  • Thomas
  • Jackson
  • White
  • Harris
  • Martin
  • Thompson
  • Garcia
  • Martinez
  • Robinson
  • Clark
  • Rodriguez
  • Lewis
  • Lee
  • Walker
  • Hall
  • Allen
  • Young
  • Hernandez
  • King
  • Wright
  • Lopez
  • Hill
  • Scott
  • Green
  • Adams
  • Baker
  • Gonzalez
  • Nelson
  • Carter
  • Mitchell
  • Perez
  • Roberts
  • Turner
  • Phillips
  • Campbell
  • Parker
  • Cruz
  • Marshall
  • Ortiz
  • Gomez
  • Murray
  • Freeman
  • Wells
  • Webb
  • Simpson
  • Stevens
  • Tucker
  • Porter

It uses the following list of domain names to compose these fake addresses:

  • @dailymail.co.uk
  • @mail.com
  • @aol.com
  • @hotmail.com
  • @gmx.net
  • @t-online.de
  • @yahoo.co.uk
  • @msn.com
  • @yahoo.com
  • @cox.net

Downloading a backdoor

The worm downloads a backdoor from one of websites and activates it. The backdoor is known as 'Surila.J' and is downloaded from the following websites:

  • www.masteratwork.com
  • www.professionals-active.com
  • www.il-legno.it
  • 64.40.98.94
  • 69.93.58.116

Limited lifecycle

After September 17th, 2004, 01:18:31 the worm stops working and deletes its file from a hard drive.