Threat Description

MyDoom.AB

Details

Aliases: MyDoom.AB, .Mydoom.y, W32/Mydoom.AB@mm
Category: Malware
Type: Email-Worm
Platform: W32

Summary


A new variant of MyDoom worm - Mydoom.AB, was found on September 16th, 2004. This worm variant is similar to previous variants. It spreads in e-mails with different subject and body texts, downloads and activates a backdoor.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


The worm is a PE executable file 69632 bytes long packed with UPX file compressor. The unpacked file's size is over 180 KiB.

Installation to system

When run, the worm copies creates a mutex 'ertglddfgd', copies itself to Windows System Directory with a filename picked from:

smss.exe  csrss.exe  winlogon.exe  services.exe  

and sets a startup key for that file in System Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32System]   
Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

wab  xls  uin  txt  tbb  stm  sht  php  msg  mht  mbx  jsp  htm  eml  dht  dbx  cgi  cfg  asp   

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

avp.  syman  icrosof  panda  sopho  borlan  inpris  example  mydomai  nodomai  ruslis  icrosoft  .gov  gov.  .mil  @foo.  @iana  spam  unix  linux  kasp  antivi  messagelabs  support  berkeley  unix  math  mit.e  gnu  fsf.  ibm.com  google  kernel  linux  fido  usenet  iana  ietf  rfc-ed  sendmail  arin.  ripe.  isi.e  isc.o  secur  acketst  pgp  tanford.e  utgers.ed  mozilla  icq.com  admin  icrosoft  support  ntivi  unix  bsd  linux  listserv  certific  google  accoun  abuse  upport  www  root  info  samples  postmaster  rating  root  news  webmaster  noone  noreply  nobody  nothing  anyone  someone  rating  site  contact  support  somebody  privacy  service  help  submit  feste  gold-certs   

The subject of infected e-mails is selected from the following variants:

Re[2]:fun pictures  Re:fun pictures  FW:fun pictures  Re[2]:COOL!  Re:COOL!  FW:COOL!  Re[2]:cool  Re:cool  FW:cool  Re[2]:  Re:  FW:  :))  FW: Cool  LOOK!  new photos  2 new photos  hi, it's me  it's me  (no subject)  that's me :-D  my photos  hello sweety :>  remember me?..  FW: jenna's photos :)  FW: new photos  FW: 2 new photos  FW: hi, it's me  FW: it's me  FW: (no subject)  FW: that's me :-D  FW: my photos  FW: hello sweety :>  FW: hi  FW: remember me?..   

The body text of infected e-mails is selected from the following variants:

-----Original Message-----  From: Jeny K.  Sent: Monday, September 13, 2004 8:57 PM  To: Morpheus  check my new photos  :))  miss you, jeny k  -----Original Message-----  From: Jena K.  Sent: Monday, September 13, 2004 5:23 AM  To: friends  Check Out Archive.. So.. What Do You Think... Am I Hot? :)  Waining For Your Answer  Jena Key  -----Original Message-----  From: jenny k.  Sent: Monday, September 13, 2004 10:23 AM  To: My Tiger (e-mail)  new fotos(archived) you asked  jenny k  -----Original Message-----  From: jenna k. (e-mail)  Sent: Monday, September 13, 2004 11:38 AM  To: Cat  my new fotos archived ))  kiss, jenna k  -----Original Message-----  From: Jeny  Sent: Monday, September 13, 2004 8:57 PM  To: Neo  see the photos in attached archive  :))  kiss you, jeny  -----Original Message-----  From: Jena  Sent: Monday, September 13, 2004 5:23 AM  To: friend  Photos in archive.. So.. Am I Hot? :)  Waining For Your Answer  Jena  -----Original Message-----  From: Jenna Knukles  Sent: Monday, September 13, 2004 9:05 AM  To: Friends Group  in self-extracting archive my photos  Jenna :)  -----Original Message-----  From: jenna (e-mail)  Sent: Monday, September 13, 2004 11:38 AM  To: ma kittie  my photos archived ))  kiss, jenna   fun flash game!   fun flash!   game!   fun game!  Print money at home!  look at atach  -----Original Message-----  From: Jeny K.  Sent: Monday, September 13, 2004 8:57 PM  To: Morpheus  check out the new photos  :))  miss you, jeny k  -----Original Message-----  From: Jena K.  Sent: Monday, September 13, 2004 5:23 AM  To: friends  So.. What Do You Think... Am I Hot? :)  Waining For Your Answer  Jena Key  -----Original Message-----  From: Jenna Knukles  Sent: Monday, September 13, 2004 9:05 AM  in archive my new fotos  Jenna K :)  -----Original Message-----  From: jenny k.  Sent: Monday, September 13, 2004 10:23 AM  To: My Tiger (e-mail)  new fotos you asked  jenny k  -----Original Message-----  From: jenna k. (e-mail)  Sent: Monday, September 13, 2004 11:38 AM  To: Cat  my new fotos zipped ))  kiss, jenna k  -----Original Message-----  From: Jeny  Sent: Monday, September 13, 2004 8:57 PM  To: Neo  see the photos  :))  kiss you, jeny  -----Original Message-----  From: Jena  Sent: Monday, September 13, 2004 5:23 AM  To: friend  So.. Am I Hot? :)  Waining For Your Answer  Jena  -----Original Message-----  From: Jenna Knukles  Sent: Monday, September 13, 2004 9:05 AM  To: Friends Group  in archive my photos  Jenna :)  -----Original Message-----  From: jenny  Sent: Monday, September 13, 2004 10:23 AM  To: Mr.X (e-mail)  photos you asked  jenny  -----Original Message-----  From: jenna (e-mail)  Sent: Monday, September 13, 2004 11:38 AM  To: ma kittie  my photos zipped ))  kiss, jenna   

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

myfoto.exe  photos.selfextracting.exe  photoarchive.exe  photofile.exe  arc.exe  my_foto.exe  fotos.exe  foto.exe  photos.exe.safe  photo_se.exe  new_photos.exe  newphotos.exe  myphotos_arc.exe  my_photos.exe  photos_arc.exe  myfoto.cpl  photoarchive.cpl  photofile.cpl  arc.cpl  my_foto.cpl  fotos.cpl  foto.cpl  photo_se.cpl  new_photos.cpl  newphotos.cpl  my_photos.cpl  photos_arc.cpl  arhive.zip  new_pic.zip  pic.zip  new_photos.zip  images.zip  fotos.zip  my_photos.zip  myphotos.zip  photos.zip  my_photo.jpg .pif  flowers.jpg  .pif  document.jpg .pif  pic.jpg      .pif  photo.jpg    .pif  black.gif    .pif  DCP_0002.JPG .pif  me_01.jpg    .pif  2004042301.jpg           .pif  with_flowers.jpg         .pif  sunny.jpg    .pif  photo08.jpg  .pif  nude_.jpg    .pif  marie_dancing.jpg        .pif  julia038.jpg .pif  1.exe  mymusic.pif  rulezzz.scr  matrix.scr  newvirus.exe  mylove.pif  antibush.scr  icqcrack.exe  myfack.pif  hello.pif  pinguin5.exe  you the best.scr  fantasy.scr  coolgame.zip [mutiple spaces] .exe  mynewphoto.zip [mutiple spaces] .exe  mult.exe   

Also the worm can attach a fake virus scan report to its message:

+++ Attachment: No Virus found  +++    

where "<av_string>" can be any of the following:

Norton AntiVirus - www.symantec.de  F-Secure AntiVirus - www.f-secure.com  Norman AntiVirus - www.norman.com  Panda AntiVirus - www.pandasoftware.com  Kaspersky AntiVirus - www.kaspersky.com  MC-Afee AntiVirus - www.mcafee.com  Bitdefender AntiVirus - www.bitdefender.com  MessageLabs AntiVirus - www.messagelabs.com   

It uses the following list of domain names to compose the fake address:

@ziplink.net  @yahoo.com  @wwc.com  @worldshare.net  @worldcom.com  @wanadoo.com  @verizon.net  @ultimanet.com  @toad.net  @tiscali.com  @t-online.de  @t-online.com  @surfree.com  @ricochet.com  @rcn.com  @pics.com  @peoplepc.com  @pathlink.com  @palm.net  @pacific.net.sg  @netzero.net  @netrox.net  @netcenter.com  @nccw.net  @msn.com  @madriver.com  @macconnect.com  @loa.com  @juno.com  @istep.com  @ispwest.com  @isp.com  @iquest.net  @infoave.net  @inext.fr  @ieway.com  @hiwaay.net  @highstream.net  @globetrotter.net  @globalbiz.net  @gbronline.com  @flex.com  @fcc.net  @fast.net  @excite.com  @ev1.net  @eisa.com  @eclipse.net  @earthlink.net  @dialupnet.com  @cybernex.net  @cox.net  @core.com  @compuserve.com  @chello.com  @ccpc.net  @ccp.com  @cayuse.net  @canada.com  @cais.com  @cableone.net  @att.net  @aristotle.net  @arczip.com  @apci.net  @aol.com  @ameralinx.net  @address.com  @accessus.net  @a1isp.net  @1access.net  @yahoo.co.uk  @gmx.net  @hotmail.com  @mail.com  @dailymail.co.uk   
Disabling security software

The worm will attempt to terminate any process found in the list below:

F-AGOBOT.EXE  HIJACKTHIS.EXE  _AVPM.EXE  _AVPCC.EXE  _AVP32.EXE  ZONEALARM.EXE  ZONALM2601.EXE  ZATUTOR.EXE  ZAPSETUP3001.EXE  ZAPRO.EXE  XPF202EN.EXE  WYVERNWORKSFIREWALL.EXE  WUPDT.EXE  WUPDATER.EXE  WRCTRL.EXE  WRADMIN.EXE  WNT.EXE  WNAD.EXE  WKUFIND.EXE  WINUPDATE.EXE  WINTSK32.EXE  WINSTART001.EXE  WINSTART.EXE  WINSSK32.EXE  WINRECON.EXE  WINPPR32.EXE  WINMAIN.EXE  WINLOGIN.EXE  WININITX.EXE  WININIT.EXE  WININETD.EXE  WINDOWS.EXE  WINDOW.EXE  WINACTIVE.EXE  WIN32US.EXE  WIN32.EXE  WIN-BUGSFIX.EXE  WIMMUN32.EXE  WHOSWATCHINGME.EXE  WGFE95.EXE  WFINDV32.EXE  WEBTRAP.EXE  WEBSCANX.EXE  WEBDAV.EXE  WATCHDOG.EXE  W9X.EXE  W32DSM89.EXE  VSWINPERSE.EXE  VSWINNTSE.EXE  VSWIN9XE.EXE  VSSTAT.EXE  VSMON.EXE  VSMAIN.EXE  VSISETUP.EXE  VSHWIN32.EXE  VSECOMR.EXE  VSCHED.EXE  VSCENU6.02D30.EXE  VSCAN40.EXE  VPTRAY.EXE  VPFW30S.EXE  VPC42.EXE  VPC32.EXE  VNPC3000.EXE  VNLAN300.EXE  VIRUSMDPERSONALFIREWALL.EXE  VIR-HELP.EXE  VFSETUP.EXE  VETTRAY.EXE  VET95.EXE  VET32.EXE  VCSETUP.EXE  VBWINNTW.EXE  VBWIN9X.EXE  VBUST.EXE  VBCONS.EXE  VBCMSERV.EXE  UTPOST.EXE  UPGRAD.EXE  UPDAT.EXE  UNDOBOOT.EXE  TVTMD.EXE  TVMD.EXE  TSADBOT.EXE  TROJANTRAP3.EXE  TRJSETUP.EXE  TRJSCAN.EXE  TRICKLER.EXE  TRACERT.EXE  TITANINXP.EXE  TITANIN.EXE  TGBOB.EXE  TFAK5.EXE  TFAK.EXE  TEEKIDS.EXE  TDS2-NT.EXE  TDS2-98.EXE  TDS-3.EXE  TCM.EXE  TCA.EXE  TC.EXE  TBSCAN.EXE  TAUMON.EXE  TASKMON.EXE  TASKMO.EXE  SYSUPD.EXE  SYSTEM32.EXE  SYSTEM.EXE  SYSEDIT.EXE  SYMTRAY.EXE  SYMPROXYSVC.EXE  SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE  SWEEP95.EXE  SVCHOSTC.EXE  SVC.EXE  SUPPORTER5.EXE  SUPPORT.EXE  SUPFTRL.EXE  STCLOADER.EXE  START.EXE  ST2.EXE  SSG_4104.EXE  SSGRATE.EXE  SS3EDIT.EXE  SRNG.EXE  SREXE.EXE  SPYXX.EXE  SPOOLSV32.EXE  SPOOLCV.EXE  SPHINX.EXE  SPF.EXE  SPERM.EXE  SOFI.EXE  SOAP.EXE  SMSS32.EXE  SMS.EXE  SMC.EXE  SHOWBEHIND.EXE  SHN.EXE  SHELLSPYINSTALL.EXE  SH.EXE  SGSSFW32.EXE  SFC.EXE  SETUP_FLOWPROTECTOR_US.EXE  SETUPVAMEEVAL.EXE  SERVLCES.EXE  SERVLCE.EXE  SERV95.EXE  SD.EXE  SCRSVR.EXE  SCRSCAN.EXE  SCANPM.EXE  SCAN95.EXE  SCAN32.EXE  SCAM32.EXE  SC.EXE  SBSERV.EXE  SAVENOW.EXE  SAVE.EXE  SAHAGENT.EXE  SAFEWEB.EXE  RUXDLL32.EXE  RUNDLL16.EXE  RUNDLL.EXE  RULAUNCH.EXE  RTVSCN95.EXE  RTVSCAN.EXE  RSHELL.EXE  RRGUARD.EXE  RESCUE32.EXE  RESCUE.EXE  REGED.EXE  REALMON.EXE  RCSYNC.EXE  RB32.EXE  RAY.EXE  RAV8WIN32ENG.EXE  RAV7WIN.EXE  RAV7.EXE  RAPAPP.EXE  QSERVER.EXE  QCONSOLE.EXE  PVIEW95.EXE  PUSSY.EXE  PURGE.EXE  PSPF.EXE  PROTECTX.EXE  PROPORT.EXE  PROGRAMAUDITOR.EXE  PROCEXPLORERV1.0.EXE  PROCESSMONITOR.EXE  PROCDUMP.EXE  PRMVR.EXE  PRMT.EXE  PRIZESURFER.EXE  PPVSTOP.EXE  PPTBC.EXE  PPINUPDT.EXE  POWERSCAN.EXE  PORTMONITOR.EXE  PORTDETECTIVE.EXE  POPSCAN.EXE  POPROXY.EXE  POP3TRAP.EXE  PLATIN.EXE  PINGSCAN.EXE  PGMONITR.EXE  PFWADMIN.EXE  PF2.EXE  PERSWF.EXE  PERSFW.EXE  PERISCOPE.EXE  PENIS.EXE  PDSETUP.EXE  PCSCAN.EXE  PCIP10117_0.EXE  PCFWALLICON.EXE  PCDSETUP.EXE  PCCWIN98.EXE  PCCWIN97.EXE  PCCNTMON.EXE  PCCIOMON.EXE  PCC2K_76_1436.EXE  PCC2002S902.EXE  PAVW.EXE  PAVSCHED.EXE  PAVPROXY.EXE  PAVCL.EXE  PATCH.EXE  PANIXK.EXE  PADMIN.EXE  OUTPOSTPROINSTALL.EXE  OUTPOSTINSTALL.EXE  OTFIX.EXE  OSTRONET.EXE  OPTIMIZE.EXE  ONSRVR.EXE  OLLYDBG.EXE  NWTOOL16.EXE  NWSERVICE.EXE  NWINST4.EXE  NVC95.EXE  NVARCH16.EXE  NUI.EXE  NTXconfig.EXE  NTRTSCAN.EXE  NT.EXE  NSUPDATE.EXE  NSTASK32.EXE  NSSYS32.EXE  NSCHED32.EXE  NPSSVC.EXE  NPSCHECK.EXE  NPROTECT.EXE  NPFMESSENGER.EXE  NPF40_TW_98_NT_ME_2K.EXE  NOTSTART.EXE  NORTON_INTERNET_SECU_3.0_407.EXE  NORMIST.EXE  NOD32.EXE  NMAIN.EXE  NISUM.EXE  NISSERV.EXE  NETUTILS.EXE  NETSPYHUNTER-1.2.EXE  NETSCANPRO.EXE  NETMON.EXE  NETINFO.EXE  NETD32.EXE  NETARMOR.EXE  NEOWATCHLOG.EXE  NEOMONITOR.EXE  NDD32.EXE  NCINST4.EXE  NC2000.EXE  NAVWNT.EXE  NAVW32.EXE  NAVSTUB.EXE  NAVNT.EXE  NAVLU32.EXE  NAVENGNAVEX15.NAVLU32.EXE  NAVDX.EXE  NAVAPW32.EXE  NAVAPSVC.EXE  NAVAP.NAVAPSVC.EXE  AUTO-PROTECT.NAV80TRY.EXE  NAV.EXE  N32SCANW.EXE  MWATCH.EXE  MU0311AD.EXE  MSVXD.EXE  MSSYS.EXE  MSSMMC32.EXE  MSMSGRI32.EXE  MSMGT.EXE  MSLAUGH.EXE  MSINFO32.EXE  MSIEXEC16.EXE  MSDOS.EXE  MSDM.EXE  MSCONFIG.EXE  MSCMAN.EXE  MSCCN32.EXE  MSCACHE.EXE  MSBLAST.EXE  MSBB.EXE  MSAPP.EXE  MRFLUX.EXE  MPFTRAY.EXE  MPFSERVICE.EXE  MPFAGENT.EXE  MOSTAT.EXE  MOOLIVE.EXE  MONITOR.EXE  MMOD.EXE  MINILOG.EXE  MGUI.EXE  MGHTML.EXE  MGAVRTE.EXE  MGAVRTCL.EXE  MFWENG3.02D30.EXE  MFW2EN.EXE  MFIN32.EXE  MD.EXE  MCVSSHLD.EXE  MCVSRTE.EXE  MCTOOL.EXE  MCSHIELD.EXE  MCMNHDLR.EXE  MCAGENT.EXE  MAPISVC32.EXE  LUSPT.EXE  LUINIT.EXE  LUCOMSERVER.EXE  LUAU.EXE  LSETUP.EXE  LORDPE.EXE  LOOKOUT.EXE  LOCKDOWN2000.EXE  LOCKDOWN.EXE  LOCALNET.EXE  LOADER.EXE  LNETINFO.EXE  LDSCAN.EXE  LDPROMENU.EXE  LDPRO.EXE  LDNETMON.EXE  LAUNCHER.EXE  KILLPROCESSSETUP161.EXE  KERNEL32.EXE  KERIO-WRP-421-EN-WIN.EXE  KERIO-WRL-421-EN-WIN.EXE  KERIO-PF-213-EN-WIN.EXE  KEENVALUE.EXE  KAVPF.EXE  KAVPERS40ENG.EXE  KAVLITE40ENG.EXE  JEDI.EXE  JDBGMRG.EXE  JAMMER.EXE  ISTSVC.EXE  ISRV95.EXE  ISASS.EXE  IRIS.EXE  IPARMOR.EXE  IOMON98.EXE  INTREN.EXE  INTDEL.EXE  INIT.EXE  INFWIN.EXE  INFUS.EXE  INETLNFO.EXE  IFW2000.EXE  IFACE.EXE  IEDRIVER.EXE  IEDLL.EXE  IDLE.EXE  ICSUPPNT.EXE  ICMON.EXE  ICLOADNT.EXE  ICLOAD95.EXE  IBMAVSP.EXE  IBMASN.EXE  IAMSTATS.EXE  IAMSERV.EXE  IAMAPP.EXE  HXIUL.EXE  HXDL.EXE  HWPE.EXE  HTPATCH.EXE  HTLOG.EXE  HOTPATCH.EXE  HOTACTIO.EXE  HBSRV.EXE  HBINST.EXE  HACKTRACERSETUP.EXE  GUARDDOG.EXE  GUARD.EXE  GMT.EXE  GENERICS.EXE  GBPOLL.EXE  GBMENU.EXE  GATOR.EXE  FSMB32.EXE  FSMA32.EXE  FSM32.EXE  FSGK32.EXE  FSAV95.EXE  FSAV530WTBYB.EXE  FSAV530STBYB.EXE  FSAV32.EXE  FSAV.EXE  FSAA.EXE  FRW.EXE  FPROT.EXE  FP-WIN_TRIAL.EXE  FP-WIN.EXE  FNRB32.EXE  FLOWPROTECTOR.EXE  FIREWALL.EXE  FINDVIRU.EXE  FIH32.EXE  FCH32.EXE  FAST.EXE  FAMEH32.EXE  F-STOPW.EXE  F-PROT95.EXE  F-PROT.EXE  F-AGNT95.EXE  EXPLORE.EXE  EXPERT.EXE  EXE.AVXW.EXE  EXANTIVIRUS-CNET.EXE  EVPN.EXE  ETRUSTCIPE.EXE  ETHEREAL.EXE  ESPWATCH.EXE  ESCANV95.EXE  ESCANHNT.EXE  ESCANH95.EXE  ESAFE.EXE  ENT.EXE  EMSW.EXE  EFPEADM.EXE  ECENGINE.EXE  DVP95_0.EXE  DVP95.EXE  DSSAGENT.EXE  DRWEB32.EXE  DRWATSON.EXE  DPPS2.EXE  DPFSETUP.EXE  DPF.EXE  DOORS.EXE  DLLREG.EXE  DLLCACHE.EXE  DEPUTY.EXE  DEFWATCH.EXE  DEFSCANGUI.EXE  DEFALERT.EXE  DCOMX.EXE  DATEMANAGER.EXE  Claw95.EXE  CWNTDWMO.EXE  CWNB181.EXE  CV.EXE  CTRL.EXE  CPFNT206.EXE  CPF9X206.EXE  CPD.EXE  CONNECTIONMONITOR.EXE  CMON016.EXE  CMGRDIAN.EXE  CMESYS.EXE  CMD32.EXE  CLICK.EXE  CLEANPC.EXE  CLEANER3.EXE  CLEANER.EXE  CLEAN.EXE  CLAW95CF.EXE  CFINET32.EXE  CFINET.EXE  CFIADMIN.EXE  CFGWIZ.EXE  CFD.EXE  CDP.EXE  CCPXYSVC.EXE  CCEVTMGR.EXE  CCAPP.EXE  BVT.EXE  BUNDLE.EXE  BS120.EXE  BRASIL.EXE  BPC.EXE  BORG2.EXE  BOOTWARN.EXE  BOOTCONF.EXE  BLSS.EXE  BLACKICE.EXE  BLACKD.EXE  BISP.EXE  BIPCPEVALSETUP.EXE  BIPCP.EXE  BIDSERVER.EXE  BIDEF.EXE  BELT.EXE  BD_PROFESSIONAL.EXE  BARGAINS.EXE  BACKWEB.EXE  AVXMONITORNT.EXE  AVXMONITOR9X.EXE  AVWUPSRV.EXE  AVWUPD.EXE  AVWINNT.EXE  AVWIN95.EXE  AVSYNMGR.EXE  AVSCHED32.EXE  AVPTC32.EXE  AVPM.EXE  AVPDOS32.EXE  AVPCC.EXE  AVP32.EXE  AVP.EXE  AVNT.EXE  AVLTMAIN.EXE  AVKWCTl9.EXE  AVKSERVICE.EXE  AVKSERV.EXE  AVKPOP.EXE  AVGW.EXE  AVGUARD.EXE  AVGSERV9.EXE  AVGSERV.EXE  AVGNT.EXE  AVGCTRL.EXE  AVGCC32.EXE  AVE32.EXE  AVCONSOL.EXE  AU.EXE  ATWATCH.EXE  ATRO55EN.EXE  ATGUARD.EXE  ATCON.EXE  ARR.EXE  APVXDWIN.EXE  APLICA32.EXE  APIMONITOR.EXE  ANTS.EXE  ANTIVIRUS.EXE  ANTI-TROJAN.EXE  AMON9X.EXE  ALOGSERV.EXE  ALEVIR.EXE  ALERTSVC.EXE  AGENTW.EXE  AGENTSVR.EXE  ADVXDWIN.EXE  ADAWARE.EXE  ACKWIN32.EXE  BEAGLE.EXE  d3dupdate.exe  sysxp.exe  winxp.exe  ssgrate.exe  jammer2nd.exe  fvprotect.exe  hxdef.exe  VisualGuard.exe  GfxAcc.exe  RAVMOND.exe  Systra.exe  MCUPDATE.EXE  CFIAUDIT.EXE  AVXQUAR.EXE  AUTOUPDATE.EXE  AUTOTRACE.EXE  AUTODOWN.EXE  AUPDATE.EXE  NUPGRADE.EXE  UPDATE.EXE  ICSUPP95.EXE  ICSSUPPNT.EXE  DRWEBUPW.EXE  LUALL.EXE  AVPUPD.EXE  AVWUPD32.EXE  ATUPDATER.EXE  wuamga.exe  taskmanagr.exe  wuamgrd.exe  wowpos32.exe  dailin.exe  rasmngr.exe  msssss.exe  backdoor.rbot.gen_(17).exe  backdoor.rbot.gen.exe  b055262c.dll  RB.EXE  IAOIN.EXE  OUTPOST.EXE   
ICQ Spreading

It will send messages through ICQ with messages chosen from the following list:

funn http://[domain removed]/icon/game.exe :-):-):-)  http://[domain removed]/icon/game.exe :-):-)  http://[domain removed]/icon/game.exe funny :-);-)  http://[domain removed]/icon/game.exe ;-);-);-);-)  best game http://[domain removed]/icon/game.exe ;-);-);-)  http://[domain removed]/icon/game.exe LOL!! ;-);-);-)  http://[domain removed]/claroline142/photo.exe i cried :-)  http://[domain removed]/claroline142/photo.exe lol :-):-)  my photos (archived) http://[domain removed]/claroline142/photo.exe  i now play in game http://[domain removed]/ajr/game.exe :-):-)  funy game http://[domain removed]/ajr/game.exe ;-);-);-)  fun game http://[domain removed]/ajr/game.exe :-):-):-)   
P2P Spreading

If the worm can locate the Kazaa shared folder, it will copy itself with names picked from:

dap53 crack.exe  iMeshV4 crack.exe  icqpro2003b crack.exe  wrar330 crack.exe  WinZip 9.0 crack.exe  dap71.exe  trillian-v2.74h.exe  wrar330.exe  LimeWireWin.exe  Morpheus.exe  zlsSetup_45_538_001.exe  icqpro2003b.exe  iMeshV4.exe  WinZip 9.0.exe  icqlite.exe  kmd.exe  trillian 2.0 crack.exe  dap53.exe  dvdplayer.exe  opera7.x crack.exe  crazzygirls.scr  childporno.pif  opera7.7.exe  winamp6.exe  eroticgirls2.0.exe  tropicallagoonss.scr  nicegirlsshowv12.scr  icq2004-final.exe  winamp5.exe   
Network spreading

This variant of the Mydoom worm uses the LSASS vulnerability to infect other hosts.

Downloading a backdoor

The worm downloads a backdoor from one of websites and activates it.

www.masteratwork.com  www.professionals-active.com  www.il-legno.it  www.mercyships.de  www.llc.unibo.it  www.scionicmusic.com  64.40.98.94  


Detection


This worm variant is detected as 'I-Worm.Mydoom.y' since the following FSAV updates:

Detection Type: PC
Database: 2004-09-15_01



Technical Details:Alexey Podrezov & Ero Carrera; September 16th, 2004


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More