Home > Threat descriptions >

MyDoom.AM

Classification

Category: Malware

Type: Email-Worm

Aliases: MyDoom.AM, W32/Mydoom.AM@mm, Email-Worm.Win32.Mydoom.ag

Summary


A new variant of MyDoom worm - Mydoom.AM, was found on January 25th, 2005. It spreads in emails with different subject and body texts, and attempts to spread in several P2P networks.

Removal


Automatic action

Once detected, the F-Secure security product will automatically handle a harmful program or file by either deleting or renaming it.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm is a PE executable file 32768 bytes long packed with UPX file compressor. The unpacked file's size is over 76 KiB.

Installation to system

When run, the worm drops a file "Mes#wtelw" in temporary folder and writes some random data in the file. Then it opens this file in notepad as a decoy.

After the notepad is closed, the worm creates a mutex named "-=RTSW.Smash 0a2a0=-" and copies itself as

  • %Sysdir%\lsasrv.exe

where %Sysdir% is the Windows system directory. On default install of Windows XP, that is c:\Windows\system32. It also drops the following files:

  • %Sysdir%\version.ini
  • hserv.sys

version.ini contains supposedly the worm version number (0.20) and hserv.sys is encrypted data file containing web sites the worm contacts for instructions.

The worm installs the following registry keys:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lsass" = %Sysdir%\lsasrv.exe
  • [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "explorer.exe %Sysdir%\lsasrv.exe"

This will ensure that the worm will be started on next Windows startup.

Spreading in emails

The worm spreads by sending its infected attachment to all email addresses found on an infected computer. The worm looks for email addresses in Windows Address Book and in the files with the following extensions:

  • txt
  • htm
  • sht
  • php
  • cgi
  • hta
  • htc
  • xht
  • stm
  • ssi
  • inc
  • jsp
  • xml
  • dlt
  • xsd
  • xst
  • rss
  • rdf
  • lbi
  • dwt
  • asa
  • asc
  • asm
  • csp
  • vbp
  • conf
  • tpl
  • jst
  • wml
  • vbs
  • edm
  • asp
  • dbx
  • tbb
  • adb
  • wab

The worm avoids sending emails to email addresses that contain any of the following substrings:

  • avp
  • syma
  • icrosof
  • msn.
  • hotmail
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • .gov
  • gov.
  • .mil
  • foo.
  • berkeley
  • unix
  • math
  • bsd
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla

The subject of infected emails is selected from the following variants:

  • Good day
  • Do not reply to this email
  • hello
  • Mail Delivery System
  • Attention!!!
  • Mail Transaction Failed
  • Server Report
  • Status
  • Error

The body of the emails can one of the following:

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a
binary attachment.
Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash"
spreading very fast via email and P2P networks. It's about
two million people infected and it will be more. To avoid
your infection by this virus and to stop it we provide you
with full information how to protect yourself against it and
also including free remover. Your can find it in the attachment.
(c) 2004 Networks Associates Technology, Inc. All Rights Reserved

New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using
a credit cards for making purchase in the Internet in the attachment.
Please, read it carefully. If you are not agree with new terms and
conditions do not use your credit card in the World Wide Web.
Thank you, The World Bank Group
(c) 2004 The World Bank Group, All Rights Reserved

Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the
attachment file. It's a real good choise to go to
WORLDXXXPASS.COM

Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was
a fraud attempt logged by The Internet Fraud Complaint Center from
your IP. This is a serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged
and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation
and the National White Collar Crime Center

The worm sends itself as an attachement, using one of the following names:

  • document
  • readme
  • doc
  • rules
  • file
  • data
  • docs
  • message
  • body

with one of the following extensions appended:

  • .bat
  • .cmd
  • .exe
  • .scr
  • .pif
Spreading in P2P networks

The worm will copy itself in folders used by Kazaa, Morpheus, iMesh, eDonkey and Limewire. It uses of the following filenames:

  • winamp5
  • icq2004-final
  • activation_crack
  • K-LiteCodecPack2.34a
  • dcom_patches
  • adultpaawds
  • winxp_patch
  • Ad-awarere
  • avpprokey
  • NeroBROM6.3.1.27
  • porno

with one of the following extensions appended:

  • .bat
  • .exe
  • .pif
  • .bat
Payload

The worm tries to contact several web sites and download instructions. These can instruct the worm to download and execute additional files.

The worm modifies the hosts file on infected computer so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 127.0.0.1, disabling the domain. The following domains are affected:

  • www.symantec.com
  • securityresponse.symantec.com
  • www.sophos.com
  • sophos.com
  • www.mcafee.com
  • mcafee.com
  • liveupdate.symantecliveupdate.com
  • www.viruslist.com
  • viruslist.com
  • www.f-secure.com
  • f-secure.com
  • kaspersky.com
  • kaspersky-labs.com
  • www.avp.com
  • avp.com
  • www.kaspersky.com
  • www.networkassociates.com
  • networkassociates.com
  • www.ca.com
  • ca.com
  • mast.mcafee.com
  • www.my-etrust.com
  • my-etrust.com
  • download.mcafee.com
  • dispatch.mcafee.com
  • secure.nai.com
  • nai.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • liveupdate.symantec.com
  • customer.symantec.com
  • rads.mcafee.com
  • www.trendmicro.com
  • trendmicro.com
  • www.grisoft.com
  • grisoft.com

It also tries to terminate several Firewall and Anti-Virus related processes.