Home > Threat descriptions >

Email-Worm:W32/MyDoom.AB

Classification

Category: Malware

Type: Email-Worm

Aliases: MyDoom.AB, .Mydoom.y, W32/Mydoom.AB@mm

Summary


A new variant of MyDoom worm - Mydoom.AB, was found on September 16th, 2004. This worm variant is similar to previous variants. It spreads in emails with different subject and body texts, downloads and activates a backdoor.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm is a PE executable file 69632 bytes long packed with UPX file compressor. The unpacked file's size is over 180 KiB.

Installation to system

When run, the worm copies creates a mutex 'ertglddfgd', copies itself to Windows System Directory with a filename picked from:

smss.exe
csrss.exe
winlogon.exe
services.exe

and sets a startup key for that file in System Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32System]
 
Spreading in emails

The worm spreads by sending its infected attachment to all email addresses found on an infected computer. The worm looks for email addresses in Windows Address Book and in the files with the following extensions:

wab
xls
uin
txt
tbb
stm
sht
php
msg
mht
mbx
jsp
htm
eml
dht
dbx
cgi
cfg
asp
 

The worm avoids sending emails to email addresses that contain any of the following substrings:

avp.
syman
icrosof
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
icrosoft
.gov
gov.
.mil
@foo.
@iana
spam
unix
linux
kasp
antivi
messagelabs
support
berkeley
unix
math
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
icq.com
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
abuse
upport
www
root
info
samples
postmaster
rating
root
news
webmaster
noone
noreply
nobody
nothing
anyone
someone
rating
site
contact
support
somebody
privacy
service
help
submit
feste
gold-certs
 

The subject of infected emails is selected from the following variants:

Re[2]:fun pictures
Re:fun pictures
FW:fun pictures
Re[2]:COOL!
Re:COOL!
FW:COOL!
Re[2]:cool
Re:cool
FW:cool
Re[2]:
Re:
FW:
:))
FW: Cool
LOOK!
new photos
2 new photos
hi, it's me
it's me
(no subject)
that's me :-D
my photos
hello sweety :>
remember me?..
FW: jenna's photos :)
FW: new photos
FW: 2 new photos
FW: hi, it's me
FW: it's me
FW: (no subject)
FW: that's me :-D
FW: my photos
FW: hello sweety :>
FW: hi
FW: remember me?..
 

The body text of infected emails is selected from the following variants:

-----Original Message-----
From: Jeny K.
Sent: Monday, September 13, 2004 8:57 PM
To: Morpheus
check my new photos
:))
miss you, jeny k
-----Original Message-----
From: Jena K.
Sent: Monday, September 13, 2004 5:23 AM
To: friends
Check Out Archive.. So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key
-----Original Message-----
From: jenny k.
Sent: Monday, September 13, 2004 10:23 AM
To: My Tiger (email)
new fotos(archived) you asked
jenny k
-----Original Message-----
From: jenna k. (email)
Sent: Monday, September 13, 2004 11:38 AM
To: Cat
my new fotos archived ))
kiss, jenna k
-----Original Message-----
From: Jeny
Sent: Monday, September 13, 2004 8:57 PM
To: Neo
see the photos in attached archive
:))
kiss you, jeny
-----Original Message-----
From: Jena
Sent: Monday, September 13, 2004 5:23 AM
To: friend
Photos in archive.. So.. Am I Hot? :)
Waining For Your Answer
Jena
-----Original Message-----
From: Jenna Knukles
Sent: Monday, September 13, 2004 9:05 AM
To: Friends Group
in self-extracting archive my photos
Jenna :)
-----Original Message-----
From: jenna (email)
Sent: Monday, September 13, 2004 11:38 AM
To: ma kittie
my photos archived ))
kiss, jenna
 fun flash game!
 fun flash!
 game!
 fun game!
Print money at home!
look at atach
-----Original Message-----
From: Jeny K.
Sent: Monday, September 13, 2004 8:57 PM
To: Morpheus
check out the new photos
:))
miss you, jeny k
-----Original Message-----
From: Jena K.
Sent: Monday, September 13, 2004 5:23 AM
To: friends
So.. What Do You Think... Am I Hot? :)
Waining For Your Answer
Jena Key
-----Original Message-----
From: Jenna Knukles
Sent: Monday, September 13, 2004 9:05 AM
in archive my new fotos
Jenna K :)
-----Original Message-----
From: jenny k.
Sent: Monday, September 13, 2004 10:23 AM
To: My Tiger (email)
new fotos you asked
jenny k
-----Original Message-----
From: jenna k. (email)
Sent: Monday, September 13, 2004 11:38 AM
To: Cat
my new fotos zipped ))
kiss, jenna k
-----Original Message-----
From: Jeny
Sent: Monday, September 13, 2004 8:57 PM
To: Neo
see the photos
:))
kiss you, jeny
-----Original Message-----
From: Jena
Sent: Monday, September 13, 2004 5:23 AM
To: friend
So.. Am I Hot? :)
Waining For Your Answer
Jena
-----Original Message-----
From: Jenna Knukles
Sent: Monday, September 13, 2004 9:05 AM
To: Friends Group
in archive my photos
Jenna :)
-----Original Message-----
From: jenny
Sent: Monday, September 13, 2004 10:23 AM
To: Mr.X (email)
photos you asked
jenny
-----Original Message-----
From: jenna (email)
Sent: Monday, September 13, 2004 11:38 AM
To: ma kittie
my photos zipped ))
kiss, jenna
 

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

myfoto.exe
photos.selfextracting.exe
photoarchive.exe
photofile.exe
arc.exe
my_foto.exe
fotos.exe
foto.exe
photos.exe.safe
photo_se.exe
new_photos.exe
newphotos.exe
myphotos_arc.exe
my_photos.exe
photos_arc.exe
myfoto.cpl
photoarchive.cpl
photofile.cpl
arc.cpl
my_foto.cpl
fotos.cpl
foto.cpl
photo_se.cpl
new_photos.cpl
newphotos.cpl
my_photos.cpl
photos_arc.cpl
arhive.zip
new_pic.zip
pic.zip
new_photos.zip
images.zip
fotos.zip
my_photos.zip
myphotos.zip
photos.zip
my_photo.jpg .pif
flowers.jpg
.pif
document.jpg .pif
pic.jpg.pif
photo.jpg

.pif
black.gif

.pif
DCP_0002.JPG .pif
me_01.jpg

.pif
2004042301.jpg

 .pif
with_flowers.jpg
 .pif
sunny.jpg

.pif
photo08.jpg
.pif
nude_.jpg

.pif
marie_dancing.jpg
.pif
julia038.jpg .pif
1.exe
mymusic.pif
rulezzz.scr
matrix.scr
newvirus.exe
mylove.pif
antibush.scr
icqcrack.exe
myfack.pif
hello.pif
pinguin5.exe
you the best.scr
fantasy.scr
coolgame.zip [mutiple spaces] .exe
mynewphoto.zip [mutiple spaces] .exe
mult.exe
 

Also the worm can attach a fake virus scan report to its message:

+++ Attachment: No Virus found  +++    

where "<av_string>" can be any of the following:

+++ Attachment: No Virus found
+++

It uses the following list of domain names to compose the fake address:

+++ Attachment: No Virus found
+++

Disabling security software

The worm will attempt to terminate any process found in the list below:

+++ Attachment: No Virus found
+++

ICQ Spreading

It will send messages through ICQ with messages chosen from the following list:

+++ Attachment: No Virus found
+++

P2P Spreading

If the worm can locate the Kazaa shared folder, it will copy itself with names picked from:

+++ Attachment: No Virus found
+++

Network spreading

This variant of the Mydoom worm uses the LSASS vulnerability to infect other hosts.

Downloading a backdoor

The worm downloads a backdoor from one of websites and activates it.

+++ Attachment: No Virus found
+++