MyDoom.BB appeared on February 17th, 2005. Like the previous variants, it is a massmailer that sends infected messages with various subject lines and body messages.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm's body is a Windows PE executable file compressed with the MEW executable compressor. It's most likely binary patched and repacked version of the older Mydoom variant, Mydoom.M.
When run, the worm copies itself to Windows directory as "java.exe". It also drops and executes file "services.exe" which is a backdoor component listening on port 1034.
The worm installs the following registry key for ensuring it will be executed when system is started:
The backdoor installs the following keys:
or
The worm also creates the following registry key if it doesn't exist:
Then the worm creates a mutex named
to avoid running more than once simultaneously. The mutex name is converted upper case before installing. %hostname% presents name of the computer as returned by gethostname.
The worm also tries to hide its process by issuing Win32 call RegisterServiceProcess.
The worm spreads by sending its infected attachment to all email addresses found on an infected computer. The worm looks for email addresses in Windows Address Book, and in the files with the following extensions:
It also tries to find addresses by querying the following web-based search engines:
The worm avoids sending emails to email addresses that contain any of the following substrings:
It should be noted that the worm uses a much improved algorithm for email address recognition. Now it can catch such email addresses as:
These addresses are translated by the worm to the usable format.
The worm spreads itself in email messages. The email message is composed from randomly chosed subject line, body text and additional parts.
Subject line can be one of the following:
Body text can be one of the following:
{{The|Your} m|M}essage could not be delivered
The original message was included as attachment
The original message was received at $w{ | }from {$F [$i]|{$i|[$i]
}}
----- The following addresses had permanent fatal errors -----
{
|$t}
{----- Transcript of {the ||}session follows -----
... while talking to {host |{mail |}server ||||}{$T.|$i}:
{
MAIL F{rom|ROM}:$f
50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blac
klisted}}|554
... {Mail quota exceeded|Message is too large}
554
... Service unavailable|550 5.1.2
... Host unknown (Name server: hos
t not found)|554 {5.0.0 |}Service unavailable; [$i] blocked using {relays.osirus
oft.com|bl.spamcop.net}{, reason: Blocked|}
Session aborted{, reason: lost connection|}|
RCPT To:
550 {MAILBOX NOT FOUND|5.1.1
$t ... {User unknown|Invalid recipient|Not kno
wn here}}|
DATA
{
400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
|}{
400-aturner; -RMS-E-CRE, ACP file create failed
|}{400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
|}400}|}
{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|
server} was {not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message {was not|could not be} delivered within $D days:
{{{Mail s|S}erver}|Host} $i is not responding.
The following recipients {did|could} not receive this message:Please reply to postmaster@{$F|$T}
if you feel this message to be in error.
Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} o
f $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|
:|,
}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {ha
s been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|ju
nk} e{-|}mail|spam}{ messages|} during {this|the {last|recent
}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was}
{compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{e
d|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in t
he {attachment|attached {text |}file} |}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{$T {user |technical |}support team.|The $T {support |}team.}
Words enclosed in the brackets provide some variation to the message body text. For example, one of the final messages might look like this:
The message was not delivered due to the following reason: Your message could not be delivered because the destination computer was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message could not be delivered within 30 days: Host mail.testnet is not responding. The following recipients did not receive this message: johndoe@testnet Please reply to postmaster@testnet if you feel this message to be in error.
The attachment filename is composed of one the following filenames:
with one of the following extensions appended:
When the worm's file is run, it tries to download and execute additional file before executing the main component. This file is a backdoor detected as 'Backdoor.Win32.Surila.o'. This functionality is patched in the worm's binary.
The worm also drops a backdoor component that listens on port 1034/TCP. Connecting to the port the attacker can upload and execute arbitrary files and get the list of infected computers.
Mydoom.BB also tries to open Window objects and kill Outlook and Internet Explorer if they are running. It attempts to do this by sending Windows messages WM_QUIT, WM_CLOSE and WM_DESTROY to main Window objects of the applications.