F-Secure
Tools
MyDoom.X
| Name : | MyDoom.X |
| Category: | Malware |
| Type: | Email-Worm |
| Platform: | Win32 |
Summary
A new variant of MyDoom worm - Mydoom.X, was found on September 10th, 2004. This worm variant is similar to the previous variants: Mydoom.U-W. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.
Additional Details
The worm is a PE executable file 18432 bytes long packed with UPX file compressor. The unpacked file's size is over 44 kilobytes.
Installation to system
When run, the worm creates a mutex 'LLLf54fxrDLLL', copies itself as WIN32S.EXE to Windows System Directory and creates a startup key for that file in System Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Win32System" = "%WinSysDir%\win32s.exe"
where "%WinSysDir%" represents Windows System directory.
Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as AUTORUN.EXE file.
Spreading in e-mails
The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book (WAB) and in the files with the following extensions:
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
The subject of infected e-mails is selected from the following variants:
The body text of infected e-mails is selected from the following variants:
-----Original Message-----
From: Jeny K.
Sent: Tuesday, September 7, 2004 8:57 PM
To: Morpheus
check my new photos
:))
miss you, jeny k
-----Original Message-----
From: Jena K.
Sent: Tuesday, September 7, 2004 5:23 AM
To: friends
Check Out Archive.. So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key
-----Original Message-----
From: jenny k.
Sent: Tuesday, September 7, 2004 10:23 AM
To: My Tiger (e-mail)
new fotos(archived) you asked
jenny k
-----Original Message-----
From: jenna k. (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: Cat
my new fotos archived ))
kiss, jenna k
-----Original Message-----
From: Jeny
Sent: Tuesday, September 7, 2004 8:57 PM
To: Neo
see the photos in attached archive
:))
kiss you, jeny
-----Original Message-----
From: Jena
Sent: Tuesday, September 7, 2004 5:23 AM
To: friend
Photos in archive.. So.. Am I Hot? :)
Waining For Your Answer
Jena
-----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
To: Friends Group
in self-extracting archive my photos
Jenna :)
-----Original Message-----
From: jenna (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: ma kittie
my photos archived ))
kiss, jenna
-----Original Message-----
From: Jeny K.
Sent: Tuesday, September 7, 2004 8:57 PM
To: Morpheus
check out the new photos
:))
miss you, jeny k
-----Original Message-----
From: Jena K.
Sent: Tuesday, September 7, 2004 5:23 AM
To: friends
So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key
-----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
in archive my new fotos
Jenna K :)
-----Original Message-----
From: jenny k.
Sent: Tuesday, September 7, 2004 10:23 AM
To: My Tiger (e-mail)
new fotos you asked
jenny k
-----Original Message-----
From: jenna k. (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: Cat
my new fotos zipped ))
kiss, jenna k
-----Original Message-----
From: Jeny
Sent: Tuesday, September 7, 2004 8:57 PM
To: Neo
see the photos
:))
kiss you, jeny
-----Original Message-----
From: Jena
Sent: Tuesday, September 7, 2004 5:23 AM
To: friend
So.. Am I Hot? :)
Waining For Your Answer
Jena
-----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
To: Friends Group
in archive my photos
Jenna :)
-----Original Message-----
From: jenny
Sent: Tuesday, September 7, 2004 10:23 AM
To: Mr.X (e-mail)
photos you asked
jenny
-----Original Message-----
From: jenna (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: ma kittie
my photos zipped ))
kiss, jenna
The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:
Also the worm can attach a fake virus scan report to its message:
+++ Attachment: No Virus found +++
where it can be any of the following:
The worm fakes the sender's address. It uses the following list of first names to compose the fake address:
It uses the following list of last names to compose the fake address:
It uses the following list of domain names to compose these fake addresses:
Downloading a backdoor
The worm downloads a backdoor from one of websites and activates it. The backdoor is known as 'Surila.J' and is downloaded from the following websites:
Limited lifecycle
After September 17th, 2004, 01:18:31 the worm stops working and deletes its file from a hard drive.
Installation to system
When run, the worm creates a mutex 'LLLf54fxrDLLL', copies itself as WIN32S.EXE to Windows System Directory and creates a startup key for that file in System Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Win32System" = "%WinSysDir%\win32s.exe"
where "%WinSysDir%" represents Windows System directory.
Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as AUTORUN.EXE file.
Spreading in e-mails
The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book (WAB) and in the files with the following extensions:
• wab
• xls
• uin
• txt
• tbb
• stm
• sht
• php
• msg
• mht
• mbx
• jsp
• htm
• eml
• dht
• dbx
• cgi
• cfg
• asp
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
• avp.
• syman
• icrosof
• panda
• sopho
• borlan
• inpris
• example
• mydomai
• nodomai
• ruslis
• icrosoft
• .gov
• gov.
• .mil
• @foo.
• @iana
• spam
• unix
• linux
• kasp
• antivi
• messagelabs
• support
• berkeley
• unix
• math
• mit.e
• gnu
• fsf.
• ibm.com
• google
• kernel
• linux
• fido
• usenet
• iana
• ietf
• rfc-ed
• sendmail
• arin.
• ripe.
• isi.e
• isc.o
• secur
• acketst
• pgp
• tanford.e
• utgers.ed
• mozilla
• icq.com
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• google
• accoun
• abuse
• upport
• www
• root
• info
• samples
• postmaster
• rating
• root
• news
• webmaster
• noone
• noreply
• nobody
• nothing
• anyone
• someone
• rating
• site
• contact
• support
• somebody
• privacy
• service
• help
• submit
• feste
• gold-certs
The subject of infected e-mails is selected from the following variants:
• FW: remember me?..
• FW: hi
• FW: hello sweety :>
• FW: my photos
• FW: that's me :-D
• FW: (no subject)
• FW: it's me
• FW: hi, it's me
• FW: 2 new photos
• FW: new photos
• FW: jenna's photos :)
The body text of infected e-mails is selected from the following variants:
-----Original Message-----
From: Jeny K.
Sent: Tuesday, September 7, 2004 8:57 PM
To: Morpheus
check my new photos
:))
miss you, jeny k
-----Original Message-----
From: Jena K.
Sent: Tuesday, September 7, 2004 5:23 AM
To: friends
Check Out Archive.. So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key
-----Original Message-----
From: jenny k.
Sent: Tuesday, September 7, 2004 10:23 AM
To: My Tiger (e-mail)
new fotos(archived) you asked
jenny k
-----Original Message-----
From: jenna k. (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: Cat
my new fotos archived ))
kiss, jenna k
-----Original Message-----
From: Jeny
Sent: Tuesday, September 7, 2004 8:57 PM
To: Neo
see the photos in attached archive
:))
kiss you, jeny
-----Original Message-----
From: Jena
Sent: Tuesday, September 7, 2004 5:23 AM
To: friend
Photos in archive.. So.. Am I Hot? :)
Waining For Your Answer
Jena
-----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
To: Friends Group
in self-extracting archive my photos
Jenna :)
-----Original Message-----
From: jenna (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: ma kittie
my photos archived ))
kiss, jenna
-----Original Message-----
From: Jeny K.
Sent: Tuesday, September 7, 2004 8:57 PM
To: Morpheus
check out the new photos
:))
miss you, jeny k
-----Original Message-----
From: Jena K.
Sent: Tuesday, September 7, 2004 5:23 AM
To: friends
So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key
-----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
in archive my new fotos
Jenna K :)
-----Original Message-----
From: jenny k.
Sent: Tuesday, September 7, 2004 10:23 AM
To: My Tiger (e-mail)
new fotos you asked
jenny k
-----Original Message-----
From: jenna k. (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: Cat
my new fotos zipped ))
kiss, jenna k
-----Original Message-----
From: Jeny
Sent: Tuesday, September 7, 2004 8:57 PM
To: Neo
see the photos
:))
kiss you, jeny
-----Original Message-----
From: Jena
Sent: Tuesday, September 7, 2004 5:23 AM
To: friend
So.. Am I Hot? :)
Waining For Your Answer
Jena
-----Original Message-----
From: Jenna Knukles
Sent: Tuesday, September 7, 2004 9:05 AM
To: Friends Group
in archive my photos
Jenna :)
-----Original Message-----
From: jenny
Sent: Tuesday, September 7, 2004 10:23 AM
To: Mr.X (e-mail)
photos you asked
jenny
-----Original Message-----
From: jenna (e-mail)
Sent: Tuesday, September 7, 2004 11:38 AM
To: ma kittie
my photos zipped ))
kiss, jenna
The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:
• myfoto.exe.safe
• myfoto.exe
• photos.selfextracting.exe.safe
• photoarchive.exe
• photofile.exe.safe
• arc.exe.safe
• my_foto.exe
• fotos.exe
• foto.exe
• photos.exe.safe
• photo_se.exe
• new_photos.exe
• newphotos.exe
• myphotos_arc.exe
• my_photos.exe
• photos_arc.exe
• new_photos.zip
• images.zip
• fotos.zip
• my_photos.zip
• myphotos.zip
• photos.zip
• me_01.jpg .pif
• 2004042301.jpg .pif
• with_flowers.jpg .pif
• sunny.jpg .pif
• photo08.jpg .pif
• nude_.jpg .pif
• marie_dancing.jpg .pif
• julia038.jpg .pif
Also the worm can attach a fake virus scan report to its message:
+++ Attachment: No Virus found +++
where it can be any of the following:
• Norton AntiVirus - www.symantec.de
• F-Secure AntiVirus - www.f-secure.com
• Norman AntiVirus - www.norman.com
• Panda AntiVirus - www.pandasoftware.com
• Kaspersky AntiVirus - www.kaspersky.com
• MC-Afee AntiVirus - www.mcafee.com
• Bitdefender AntiVirus - www.bitdefender.com
• MessageLabs AntiVirus - www.messagelabs.com
The worm fakes the sender's address. It uses the following list of first names to compose the fake address:
• James
• John
• Robert
• Michael
• William
• David
• Richard
• Charles
• Joseph
• Thomas
• Christopher
• Daniel
• Paul
• Mark
• Donald
• George
• Kenneth
• Steven
• Edward
• Brian
• Ronald
• Anthony
• Kevin
• Jason
• Matthew
• Gary
• Timothy
• Jose
• Larry
• Jeffrey
• Frank
• Scott
• Eric
• Stephen
• Andrew
• Raymond
• Gregory
• Joshua
• Jerry
• Dennis
• Walter
• Patrick
• Peter
• Harold
• Douglas
• Henry
• Carl
• Ricky
• Troy
• Randall
• Barry
• Alexander
• Bernard
• Mario
• Leroy
• Francisco
• Marcus
• Micheal
• Theodore
• Clifford
• Miguel
• Oscar
• Jay
• Jim
• Tom
• Calvin
• Alex
• Jon
• Ronnie
• Bill
• Lloyd
• Tommy
• Leon
It uses the following list of last names to compose the fake address:
• Smith
• Johnson
• Williams
• Jones
• Brown
• Davis
• Miller
• Wilson
• Moore
• Taylor
• Anderson
• Thomas
• Jackson
• White
• Harris
• Martin
• Thompson
• Garcia
• Martinez
• Robinson
• Clark
• Rodriguez
• Lewis
• Lee
• Walker
• Hall
• Allen
• Young
• Hernandez
• King
• Wright
• Lopez
• Hill
• Scott
• Green
• Adams
• Baker
• Gonzalez
• Nelson
• Carter
• Mitchell
• Perez
• Roberts
• Turner
• Phillips
• Campbell
• Parker
• Cruz
• Marshall
• Ortiz
• Gomez
• Murray
• Freeman
• Wells
• Webb
• Simpson
• Stevens
• Tucker
• Porter
It uses the following list of domain names to compose these fake addresses:
• @dailymail.co.uk
• @mail.com
• @aol.com
• @hotmail.com
• @gmx.net
• @t-online.de
• @yahoo.co.uk
• @msn.com
• @yahoo.com
• @cox.net
Downloading a backdoor
The worm downloads a backdoor from one of websites and activates it. The backdoor is known as 'Surila.J' and is downloaded from the following websites:
• www.masteratwork.com
• www.professionals-active.com
• www.il-legno.it
• 64.40.98.94
• 69.93.58.116
After September 17th, 2004, 01:18:31 the worm stops working and deletes its file from a hard drive.