Email-Worm:W32/MyDoom.L

The executable is packed with unmodified UPX.

When executed it will copy itself to:

• %windir%\lsass.exe

Where %windir% is the main Windows folder.

And create the following registry key.

• [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

or

• [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

and sets the value:

• "Traybar" = %windir%\lsass.exe

Email Spreading

The emails sent by Mydoom.L will contain one of the following subjects:

• say helo to my litl friend
• click me baby, one more time
• hello
• error
• status
• test
• report
• delivery failed
• Message could not be delivered
• Mail System Error - Returned Mail
• Delivery reports about your email
• Returned mail: see transcript for details
• Returned mail: Data format error

It may also compose the subject randomly.

Message bodies are chosen from:

The original message was included as attachment This Message was undeliverable due to the following reason: Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [text filled by the worm] days: Host $i is not responding. The following recipients did not receive this message: [text filled by the worm] Please reply to postmaster@[text filled by the worm] if you feel this message to be in error. The original message was received at [text filled by the worm] from [text filled by the worm] ----- The following addresses had permanent fatal errors ----- [text filled by the worm] ----- Transcript of session follows ----- while talking to [text filled by the worm].: MAIL From:[text filled by the worm] 501 [text filled by the worm]... Refused The original message was received at $w from [text filled by the worm] ----- The following addresses had permanent fatal errors ----- [text filled by the worm]

The attachment filename will be composed from combining the any of the following filenames:

• readme
• transcript
• mail
• letter
• file
• text
• attachment
• document
• message

and the following extensions:

• .scr
• .exe
• .com
• .pif
• .bat
• .cmd

It can also send ZIP files containing the worm. In that case the file inside the ZIP may have a filename resembling an email address or an extension followed by a large number of whitespaces finished with an executable extension.

Other spreading techniques

The worm will look for folder with the following text strings on them:

• incoming
• ftproot
• download
• shar

If any of them are found, it will copy itself inside those folders with names composed from:

• index
• Kazaa Lite
• Harry Potter
• ICQ 4 Lite
• WinRAR.v.3.2.and.key
• Winamp 5.0 (en) Crack
• Winamp 5.0 (en)

And followed by:

• .scr
• .com
• .exe
• .ShareReactor.com