Threat Description

MyDoom.X

Details

Aliases: MyDoom.X
Category: Malware
Type: Email-Worm
Platform: W32

Summary



A new variant of MyDoom worm - Mydoom.X, was found on September 10th, 2004. This worm variant is similar to the previous variants: Mydoom.U-W. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



The worm is a PE executable file 18432 bytes long packed with UPX file compressor. The unpacked file's size is over 44 kilobytes.

Installation to system

When run, the worm creates a mutex 'LLLf54fxrDLLL', copies itself as WIN32S.EXE to Windows System Directory and creates a startup key for that file in System Registry:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Win32System" = "%WinSysDir%\win32s.exe"

where "%WinSysDir%" represents Windows System directory.

Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as AUTORUN.EXE file.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book (WAB) and in the files with the following extensions:

  • wab
  • xls
  • uin
  • txt
  • tbb
  • stm
  • sht
  • php
  • msg
  • mht
  • mbx
  • jsp
  • htm
  • eml
  • dht
  • dbx
  • cgi
  • cfg
  • asp

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

  • avp.
  • syman
  • icrosof
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • icrosoft
  • .gov
  • gov.
  • .mil
  • @foo.
  • @iana
  • spam
  • unix
  • linux
  • kasp
  • antivi
  • messagelabs
  • support
  • berkeley
  • unix
  • math
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • icq.com
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun
  • abuse
  • upport
  • www
  • root
  • info
  • samples
  • postmaster
  • rating
  • root
  • news
  • webmaster
  • noone
  • noreply
  • nobody
  • nothing
  • anyone
  • someone
  • rating
  • site
  • contact
  • support
  • somebody
  • privacy
  • service
  • help
  • submit
  • feste
  • gold-certs

The subject of infected e-mails is selected from the following variants:

  • FW: remember me?..
  • FW: hi
  • FW: hello sweety :>
  • FW: my photos
  • FW: that's me :-D
  • FW: (no subject)
  • FW: it's me
  • FW: hi, it's me
  • FW: 2 new photos
  • FW: new photos
  • FW: jenna's photos :)

The body text of infected e-mails is selected from the following variants:

-----Original Message----- 
From: Jeny K.
Sent: Tuesday, September 7, 2004 8:57 PM 
To: Morpheus 
check my new photos 
:)) 
miss you, jeny k 

-----Original Message----- 
From: Jena K.
Sent: Tuesday, September 7, 2004 5:23 AM 
To: friends 
Check Out Archive.. So.. What Do You Think... Am I Hot? :) 
Waining For Your Answer 
Jena Key 

-----Original Message----- 
From: jenny k.
Sent: Tuesday, September 7, 2004 10:23 AM 
To: My Tiger (e-mail) 
new fotos(archived) you asked 
jenny k 

-----Original Message----- 
From: jenna k. (e-mail) 
Sent: Tuesday, September 7, 2004 11:38 AM 
To: Cat 
my new fotos archived )) 
kiss, jenna k 

-----Original Message----- 
From: Jeny 
Sent: Tuesday, September 7, 2004 8:57 PM 
To: Neo 
see the photos in attached archive 
:)) 
kiss you, jeny 

-----Original Message----- 
From: Jena 
Sent: Tuesday, September 7, 2004 5:23 AM 
To: friend 
Photos in archive.. So.. Am I Hot? :) 
Waining For Your Answer 
Jena 

-----Original Message----- 
From: Jenna Knukles 
Sent: Tuesday, September 7, 2004 9:05 AM 
To: Friends Group 
in self-extracting archive my photos 
Jenna :) 

-----Original Message----- 
From: jenna (e-mail) 
Sent: Tuesday, September 7, 2004 11:38 AM 
To: ma kittie 
my photos archived )) 
kiss, jenna 

-----Original Message----- 
From: Jeny K.
Sent: Tuesday, September 7, 2004 8:57 PM 
To: Morpheus 
check out the new photos 
:)) 
miss you, jeny k 

-----Original Message----- 
From: Jena K.
Sent: Tuesday, September 7, 2004 5:23 AM 
To: friends 
So.. What Do You Think... Am I Hot? :) 
Waining For Your Answer 
Jena Key 

-----Original Message----- 
From: Jenna Knukles 
Sent: Tuesday, September 7, 2004 9:05 AM 
in archive my new fotos 
Jenna K :) 

-----Original Message----- 
From: jenny k.
Sent: Tuesday, September 7, 2004 10:23 AM 
To: My Tiger (e-mail) 
new fotos you asked 
jenny k 

-----Original Message----- 
From: jenna k. (e-mail) 
Sent: Tuesday, September 7, 2004 11:38 AM 
To: Cat 
my new fotos zipped )) 
kiss, jenna k 

-----Original Message----- 
From: Jeny 
Sent: Tuesday, September 7, 2004 8:57 PM 
To: Neo 
see the photos 
:)) 
kiss you, jeny 

-----Original Message----- 
From: Jena 
Sent: Tuesday, September 7, 2004 5:23 AM 
To: friend 
So.. Am I Hot? :) 
Waining For Your Answer 
Jena 

-----Original Message----- 
From: Jenna Knukles 
Sent: Tuesday, September 7, 2004 9:05 AM 
To: Friends Group 
in archive my photos 
Jenna :) 

-----Original Message----- 
From: jenny 
Sent: Tuesday, September 7, 2004 10:23 AM 
To: Mr.X (e-mail) 
photos you asked 
jenny 

-----Original Message----- 
From: jenna (e-mail) 
Sent: Tuesday, September 7, 2004 11:38 AM 
To: ma kittie 
my photos zipped )) 
kiss, jenna  

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

  • myfoto.exe.safe
  • myfoto.exe
  • photos.selfextracting.exe.safe
  • photoarchive.exe
  • photofile.exe.safe
  • arc.exe.safe
  • my_foto.exe
  • fotos.exe
  • foto.exe
  • photos.exe.safe
  • photo_se.exe
  • new_photos.exe
  • newphotos.exe
  • myphotos_arc.exe
  • my_photos.exe
  • photos_arc.exe
  • new_photos.zip
  • images.zip
  • fotos.zip
  • my_photos.zip
  • myphotos.zip
  • photos.zip
  • me_01.jpg .pif
  • 2004042301.jpg .pif
  • with_flowers.jpg .pif
  • sunny.jpg .pif
  • photo08.jpg .pif
  • nude_.jpg .pif
  • marie_dancing.jpg .pif
  • julia038.jpg .pif

Also the worm can attach a fake virus scan report to its message:

  • +++ Attachment: No Virus found +++

where it can be any of the following:

  • Norton AntiVirus - www.symantec.de
  • F-Secure AntiVirus - www.f-secure.com
  • Norman AntiVirus - www.norman.com
  • Panda AntiVirus - www.pandasoftware.com
  • Kaspersky AntiVirus - www.kaspersky.com
  • MC-Afee AntiVirus - www.mcafee.com
  • Bitdefender AntiVirus - www.bitdefender.com
  • MessageLabs AntiVirus - www.messagelabs.com

The worm fakes the sender's address. It uses the following list of first names to compose the fake address:

  • James
  • John
  • Robert
  • Michael
  • William
  • David
  • Richard
  • Charles
  • Joseph
  • Thomas
  • Christopher
  • Daniel
  • Paul
  • Mark
  • Donald
  • George
  • Kenneth
  • Steven
  • Edward
  • Brian
  • Ronald
  • Anthony
  • Kevin
  • Jason
  • Matthew
  • Gary
  • Timothy
  • Jose
  • Larry
  • Jeffrey
  • Frank
  • Scott
  • Eric
  • Stephen
  • Andrew
  • Raymond
  • Gregory
  • Joshua
  • Jerry
  • Dennis
  • Walter
  • Patrick
  • Peter
  • Harold
  • Douglas
  • Henry
  • Carl
  • Ricky
  • Troy
  • Randall
  • Barry
  • Alexander
  • Bernard
  • Mario
  • Leroy
  • Francisco
  • Marcus
  • Micheal
  • Theodore
  • Clifford
  • Miguel
  • Oscar
  • Jay
  • Jim
  • Tom
  • Calvin
  • Alex
  • Jon
  • Ronnie
  • Bill
  • Lloyd
  • Tommy
  • Leon

It uses the following list of last names to compose the fake address:

  • Smith
  • Johnson
  • Williams
  • Jones
  • Brown
  • Davis
  • Miller
  • Wilson
  • Moore
  • Taylor
  • Anderson
  • Thomas
  • Jackson
  • White
  • Harris
  • Martin
  • Thompson
  • Garcia
  • Martinez
  • Robinson
  • Clark
  • Rodriguez
  • Lewis
  • Lee
  • Walker
  • Hall
  • Allen
  • Young
  • Hernandez
  • King
  • Wright
  • Lopez
  • Hill
  • Scott
  • Green
  • Adams
  • Baker
  • Gonzalez
  • Nelson
  • Carter
  • Mitchell
  • Perez
  • Roberts
  • Turner
  • Phillips
  • Campbell
  • Parker
  • Cruz
  • Marshall
  • Ortiz
  • Gomez
  • Murray
  • Freeman
  • Wells
  • Webb
  • Simpson
  • Stevens
  • Tucker
  • Porter

It uses the following list of domain names to compose these fake addresses:

  • @dailymail.co.uk
  • @mail.com
  • @aol.com
  • @hotmail.com
  • @gmx.net
  • @t-online.de
  • @yahoo.co.uk
  • @msn.com
  • @yahoo.com
  • @cox.net

Downloading a backdoor

The worm downloads a backdoor from one of websites and activates it. The backdoor is known as 'Surila.J' and is downloaded from the following websites:

  • www.masteratwork.com
  • www.professionals-active.com
  • www.il-legno.it
  • 64.40.98.94
  • 69.93.58.116

Limited lifecycle

After September 17th, 2004, 01:18:31 the worm stops working and deletes its file from a hard drive.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More