Threat Description

MyDoom.AC

Details

Category: Malware
Type: Email-Worm
Platform: W32
Aliases: MyDoom.AC, .Mydoom.w, W32/Mydoom.AC@mm

Summary


A new variant of MyDoom worm - Mydoom.AC, was found in the middle of September 2004. This worm variant can spread in e-mails as a fake FlashEcard virtual postcard.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details


The worm is a PE executable file 23040 bytes long packed with PECompact and PECBundle file compressors and modified by PE_Patch. The unpacked file's size is over 61 kilobytes.

Installation to system

When run, the worm starts Internet Explorer and goes to 'www.microsucks.com' website as a disguise.

Then the worm creates a mutex 'holla_back_bitches', copies itself as SYSHOSTS.EXE to Windows System Directory and creates a startup key for that file in System Registry:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "MS Updates" = "%WinSysDir%\syshosts.exe"

where "%WinSysDir%" represents Windows System directory.

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book and in the files with the following extensions:

  • txt
  • htm
  • html
  • sht
  • php
  • eml
  • msg
  • asp
  • dbx
  • tbb
  • adb
  • pl
  • wab

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

  • icrosof
  • syma
  • msn
  • hotmail
  • anda
  • opho
  • borlan
  • npris
  • xample
  • mydom
  • @domai
  • ruslis
  • .gov
  • .gov
  • .mil
  • @foo
  • berkeley
  • unix
  • math
  • bsd
  • mit.e
  • gnu
  • fsf.
  • ibm
  • oogle
  • kernel
  • linux
  • fido
  • senet
  • @ian
  • ripe
  • isi.e
  • arin.
  • rfc-ed
  • isc.o
  • ecur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • ample
  • info
  • root@
  • ostmaster@
  • ebmaster@
  • you
  • ugs@
  • ating@
  • ontact@
  • soft
  • rivacy
  • ervice
  • help
  • ubmit@
  • feste
  • cert
  • page
  • upport
  • ntivi
  • istser
  • ertific
  • ccoun
  • spm
  • Spam
  • SPAM
  • spam
  • abuse
  • cafee
  • @messagelab
  • @avp
  • kasp
  • winzip
  • winrar
  • pdate
  • irus
  • ahoo
  • buse@
  • sale

The subject of infected e-mails is selected from the following variants:

  • album
  • You've got a Virtual Postcard!

The body text of infected e-mails is selected from the following variants:

my pics...*sexy*. Heheh! ;)  

or

You have just received a new postcard from Flashecard.com!    From:    To pick up your postcard follow this web address  http://www.flashecard.com.viewcard.main.ecard.php?2342  or click the attached link.  We hope you enjoy your postcard, and if you do, please  take a moment to send a few yourself!    (Your message will be available for 30 days.)    Please visit our site for more information.  http://www.flashecard.com  

The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:

  • photos_album
  • www.flashecard.com?postcard=viewcard?download

The extension of an infected file can be any of the following:

  • .scr
  • .html.scr

The worm fakes the sender's address. It uses the following list of names to compose the fake address:

  • Jennifer
  • Barbara
  • Linda
  • Susan
  • Eric
  • Kevin
  • Mary
  • Robert
  • John
  • Maria
  • Alex
  • Pamela
  • Anna
  • Andrew
  • Fred
  • Jack
  • James
  • Julie
  • Debby
  • Claudia
  • Matt
  • Brent

It uses the following list of domain names to compose the fake address:

  • @aol.com
  • @hotmail.com
  • @yahoo.com
  • @msn.com
  • @excite.com
  • @mail.com
Killing processes

The worm kills processes if it finds any of the following substrings in their names:

  • regedit
  • task
  • msconfig
  • AV
  • MC
  • Av
  • Mc
  • av
  • mc
  • IEFrame
  • nti
  • iru
  • ire
  • cc
  • ecu
  • can
  • scn
  • KV
  • fr
Payload

After December 1st, 2004, 01:01:01 the worm shuts down Windows on an infected computer after its file is started. As a result a user can not log in any more.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More