1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




MyDoom.X

Name : MyDoom.X
Category:Malware
Type:Email-Worm
Platform:Win32

Summary

A new variant of MyDoom worm - Mydoom.X, was found on September 10th, 2004. This worm variant is similar to the previous variants: Mydoom.U-W. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.

Additional Details

The worm is a PE executable file 18432 bytes long packed with UPX file compressor. The unpacked file's size is over 44 kilobytes.

Installation to system

When run, the worm creates a mutex 'LLLf54fxrDLLL', copies itself as WIN32S.EXE to Windows System Directory and creates a startup key for that file in System Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Win32System" = "%WinSysDir%\win32s.exe"

where "%WinSysDir%" represents Windows System directory.

Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as AUTORUN.EXE file.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book (WAB) and in the files with the following extensions:

  •  wab
  •  xls
  •  uin
  •  txt
  •  tbb
  •  stm
  •  sht
  •  php
  •  msg
  •  mht
  •  mbx
  •  jsp
  •  htm
  •  eml
  •  dht
  •  dbx
  •  cgi
  •  cfg
  •  asp

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

  •  avp.
  •  syman
  •  icrosof
  •  panda
  •  sopho
  •  borlan
  •  inpris
  •  example
  •  mydomai
  •  nodomai
  •  ruslis
  •  icrosoft
  •  .gov
  •  gov.
  •  .mil
  •  @foo.
  •  @iana
  •  spam
  •  unix
  •  linux
  •  kasp
  •  antivi
  •  messagelabs
  •  support
  •  berkeley
  •  unix
  •  math
  •  mit.e
  •  gnu
  •  fsf.
  •  ibm.com
  •  google
  •  kernel
  •  linux
  •  fido
  •  usenet
  •  iana
  •  ietf
  •  rfc-ed
  •  sendmail
  •  arin.
  •  ripe.
  •  isi.e
  •  isc.o
  •  secur
  •  acketst
  •  pgp
  •  tanford.e
  •  utgers.ed
  •  mozilla
  •  icq.com
  •  admin
  •  icrosoft
  •  support
  •  ntivi
  •  unix
  •  bsd
  •  linux
  •  listserv
  •  certific
  •  google
  •  accoun
  •  abuse
  •  upport
  •  www
  •  root
  •  info
  •  samples
  •  postmaster
  •  rating
  •  root
  •  news
  •  webmaster
  •  noone
  •  noreply
  •  nobody
  •  nothing
  •  anyone
  •  someone
  •  rating
  •  site
  •  contact
  •  support
  •  somebody
  •  privacy
  •  service
  •  help
  •  submit
  •  feste
  •  gold-certs

The subject of infected e-mails is selected from the following variants:

  •  FW: remember me?..
  •  FW: hi
  •  FW: hello sweety :>
  •  FW: my photos
  •  FW: that's me :-D
  •  FW: (no subject)
  •  FW: it's me
  •  FW: hi, it's me
  •  FW: 2 new photos
  •  FW: new photos
  •  FW: jenna's photos :)

The body text of infected e-mails is selected from the following variants:

-----Original Message-----
From: Jeny K.
Sent: Tuesday, September 7, 2004 8:57 PM
To: Morpheus
check my new photos
:))
miss you, jeny k

-----Original Message-----
From: Jena K.
Sent: Tuesday, September 7, 2004 5:23 AM
To: friends
Check Out Archive.. So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key

-----Original Message-----
From: jenny k.
Sent: Tuesday, September 7, 2004 10:23 AM
To: My Tiger (e-mail)
new fotos(archived) you asked
jenny k

-----Original Message-----
From: jenna k. (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: Cat
my new fotos archived ))
kiss, jenna k

-----Original Message-----
From: Jeny
Sent: Tuesday, September 7, 2004 8:57 PM
To: Neo
see the photos in attached archive
:))
kiss you, jeny

-----Original Message-----
From: Jena
Sent: Tuesday, September 7, 2004 5:23 AM
To: friend
Photos in archive.. So.. Am I Hot? :)
Waining For Your Answer
Jena

-----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
To: Friends Group
in self-extracting archive my photos
Jenna :)

-----Original Message-----
From: jenna (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: ma kittie
my photos archived ))
kiss, jenna

-----Original Message-----
From: Jeny K.
Sent: Tuesday, September 7, 2004 8:57 PM
To: Morpheus
check out the new photos
:))
miss you, jeny k

-----Original Message-----
From: Jena K.
Sent: Tuesday, September 7, 2004 5:23 AM
To: friends
So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key

-----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
in archive my new fotos
Jenna K :)

-----Original Message-----
From: jenny k.
Sent: Tuesday, September 7, 2004 10:23 AM
To: My Tiger (e-mail)
new fotos you asked
jenny k

-----Original Message-----
From: jenna k. (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: Cat
my new fotos zipped ))
kiss, jenna k

-----Original Message-----
From: Jeny
Sent: Tuesday, September 7, 2004 8:57 PM
To: Neo
see the photos
:))
kiss you, jeny

-----Original Message-----
From: Jena
Sent: Tuesday, September 7, 2004 5:23 AM
To: friend
So.. Am I Hot? :)
Waining For Your Answer
Jena

-----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
To: Friends Group
in archive my photos
Jenna :)

-----Original Message-----
From: jenny
Sent: Tuesday, September 7, 2004 10:23 AM
To: Mr.X (e-mail)
photos you asked
jenny

-----Original Message-----
From: jenna (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: ma kittie
my photos zipped ))
kiss, jenna


The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

  •  myfoto.exe.safe
  •  myfoto.exe
  •  photos.selfextracting.exe.safe
  •  photoarchive.exe
  •  photofile.exe.safe
  •  arc.exe.safe
  •  my_foto.exe
  •  fotos.exe
  •  foto.exe
  •  photos.exe.safe
  •  photo_se.exe
  •  new_photos.exe
  •  newphotos.exe
  •  myphotos_arc.exe
  •  my_photos.exe
  •  photos_arc.exe
  •  new_photos.zip
  •  images.zip
  •  fotos.zip
  •  my_photos.zip
  •  myphotos.zip
  •  photos.zip
  •  me_01.jpg .pif
  •  2004042301.jpg .pif
  •  with_flowers.jpg .pif
  •  sunny.jpg .pif
  •  photo08.jpg .pif
  •  nude_.jpg .pif
  •  marie_dancing.jpg .pif
  •  julia038.jpg .pif

Also the worm can attach a fake virus scan report to its message:

+++ Attachment: No Virus found +++

where it can be any of the following:

  •  Norton AntiVirus - www.symantec.de
  •  F-Secure AntiVirus - www.f-secure.com
  •  Norman AntiVirus - www.norman.com
  •  Panda AntiVirus - www.pandasoftware.com
  •  Kaspersky AntiVirus - www.kaspersky.com
  •  MC-Afee AntiVirus - www.mcafee.com
  •  Bitdefender AntiVirus - www.bitdefender.com
  •  MessageLabs AntiVirus - www.messagelabs.com

The worm fakes the sender's address. It uses the following list of first names to compose the fake address:

  •  James
  •  John
  •  Robert
  •  Michael
  •  William
  •  David
  •  Richard
  •  Charles
  •  Joseph
  •  Thomas
  •  Christopher
  •  Daniel
  •  Paul
  •  Mark
  •  Donald
  •  George
  •  Kenneth
  •  Steven
  •  Edward
  •  Brian
  •  Ronald
  •  Anthony
  •  Kevin
  •  Jason
  •  Matthew
  •  Gary
  •  Timothy
  •  Jose
  •  Larry
  •  Jeffrey
  •  Frank
  •  Scott
  •  Eric
  •  Stephen
  •  Andrew
  •  Raymond
  •  Gregory
  •  Joshua
  •  Jerry
  •  Dennis
  •  Walter
  •  Patrick
  •  Peter
  •  Harold
  •  Douglas
  •  Henry
  •  Carl
  •  Ricky
  •  Troy
  •  Randall
  •  Barry
  •  Alexander
  •  Bernard
  •  Mario
  •  Leroy
  •  Francisco
  •  Marcus
  •  Micheal
  •  Theodore
  •  Clifford
  •  Miguel
  •  Oscar
  •  Jay
  •  Jim
  •  Tom
  •  Calvin
  •  Alex
  •  Jon
  •  Ronnie
  •  Bill
  •  Lloyd
  •  Tommy
  •  Leon

It uses the following list of last names to compose the fake address:

  •  Smith
  •  Johnson
  •  Williams
  •  Jones
  •  Brown
  •  Davis
  •  Miller
  •  Wilson
  •  Moore
  •  Taylor
  •  Anderson
  •  Thomas
  •  Jackson
  •  White
  •  Harris
  •  Martin
  •  Thompson
  •  Garcia
  •  Martinez
  •  Robinson
  •  Clark
  •  Rodriguez
  •  Lewis
  •  Lee
  •  Walker
  •  Hall
  •  Allen
  •  Young
  •  Hernandez
  •  King
  •  Wright
  •  Lopez
  •  Hill
  •  Scott
  •  Green
  •  Adams
  •  Baker
  •  Gonzalez
  •  Nelson
  •  Carter
  •  Mitchell
  •  Perez
  •  Roberts
  •  Turner
  •  Phillips
  •  Campbell
  •  Parker
  •  Cruz
  •  Marshall
  •  Ortiz
  •  Gomez
  •  Murray
  •  Freeman
  •  Wells
  •  Webb
  •  Simpson
  •  Stevens
  •  Tucker
  •  Porter

It uses the following list of domain names to compose these fake addresses:

  •  @dailymail.co.uk
  •  @mail.com
  •  @aol.com
  •  @hotmail.com
  •  @gmx.net
  •  @t-online.de
  •  @yahoo.co.uk
  •  @msn.com
  •  @yahoo.com
  •  @cox.net

Downloading a backdoor

The worm downloads a backdoor from one of websites and activates it. The backdoor is known as 'Surila.J' and is downloaded from the following websites:

  •  www.masteratwork.com
  •  www.professionals-active.com
  •  www.il-legno.it
  •  64.40.98.94
  •  69.93.58.116
Limited lifecycle

After September 17th, 2004, 01:18:31 the worm stops working and deletes its file from a hard drive.