Email-Worm:W32/MyDoom.G

Mydoom.G is functionally similar to the original variant but it contains this hidden message: to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. They may be called skynets, but not your shitty application.

Apparently, the author of Mydoom wanted to send a message to the authors of the Netsky worm:

The executable is packed with unmodified UPX, and a minority of the strings are scrambled as in the first variants of the worm, using the old fashioned ROT13.

Email Spreading

The emails sent by Mydoom.G will contain one of the following subjects:

• For your eyes only
• micro$oft must die. support us!
• Micro$oft
• some stuff
• Your profile
• just some stuff
• See you soon
• Auto-reply
• Address verification
• Your account is about to be expired
• Your account is expired
• Expired account
• Bank information
• Registration rejected
• Rejected
• excuse me
• photo
• my photos
• Alert
• Warning
• Attention
• hey!
• read!!!
• i can tell you the future
• your chance
• please read
• corrupted
• missed
• unknown
• Microsoft
• join
• we're unable to process your request
• i need you
• Interesting
• we're experiencing technical problems
• Empty
• Automatic notification
• Reply
• beauty
• kleopatra
• kate
• dear friend!
• Response
• Request
• notification
• anna
• price list
• hey
• fw:
• re:
• question
• report
• how are you?
• :-)
• hello! :)
• hi! :)
• confirmed
• Email verification
• verification
• see you
• You have been successfully registered
• Please, confirm the registration
• Registration
• Your details
• Your account details
• service
• melissa
• maria
• pamela
• jessica
• your website
• your text
• your music
• your letter
• your archive
• thank you
• thanks
• thanks!
• your document
• my details
• here is the document
• here
• hello
• spreadsheet
• excel
• Your request
• do you still love me
• do you love me
• greetings
• hello my friend
• hi!
• account details
• your account
• from me
• Daily Report
• summary
• price-list
• pricelist

It might additionally contain any of the following:

• Re:
• Fw:
• Returned mail:

to the subject.

Message bodies are chosen from:

• Here it is
• Please, read and let me know what do you feel
• Full message is in the attached document
• Open the document
• Test
• Here is the document
• Please, reply
• Re:
• See you
• Okay
• Look at the attached file
• Look at the document
• Read this
• See the attached document
• See the attached message
• See attachment
• See attachemnt
• Read the document
• Details are in the attached document
• Hi! Check the attachment for details
• Your file is attached
• Your document is attached
• See the attached file for details
• Please read the attached file
• Please have a look at the attached file
• Here is the file

The attachment filename will be composed from combining the any of the following filenames:

• attachment
• Letter
• attach
• att
• file
• payment
• check
• bill
• stuff
• doc
• description
• information
• info
• mail
• msg
• paypal
• TextFile
• music
• MoreInfo
• misc
• AttachedFile
• note
• posting
• post
• object
• news
• readme
• text
• for_you
• pic
• letter
• document
• application
• all_document
• part2
• AttachedDocument
• message_part2
• details
• message_details
• message
• Document
• msg2
• more
• test
• TextDocument
• price
• reply
• response
• account
• problem
• found
• important
• archive
• nothing

and the following extensions:

• scr
• pif
• cmd
• exe
• bat
• com

Infection Payload

The worm will go through all the machines' drives and folder on them and performing the following actions on the found files.

Mydoom will harvest email addresses from files with the extensions:

• htm
• php
• txt
• sht
• pl
• asp
• mbx
• nch
• mmf
• eml
• msg
• dbx
• rtf
• uin
• tbb
• adb
• mht
• wab

If a file with extension PIF is found, it will overwrite 8 out of 10 times.

If the 'target' file has an extension among:

• wav
• mp3
• mp4
• wma
• avi
• jpg
• doc
• xls

With a probability of 95% it will copy itself to a filename with the same name as the 'target' file, plus an the extension 'EXE' 8 out of 10 times and 'SCR' otherwise.

DDoS Payload

Mydoom.G will attempt to launch a DDoS attack against Symantec. When performing the attack, it will try to connect to either symantec.com or www.symantec.com. It will launch from 8 up to 77 of threads, requesting Symantec's main page.