Email-Worm:W32/MyDoom.G
Summary
A new variant of MyDoom worm - Mydoom.G was found on March 3rd, 2004. Mydoom. A description is available at: Novarg.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Mydoom.G is functionally similar to the original variant but it contains this hidden message: to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. They may be called skynets, but not your shitty application.
Apparently, the author of Mydoom wanted to send a message to the authors of the Netsky worm:
The executable is packed with unmodified UPX, and a minority of the strings are scrambled as in the first variants of the worm, using the old fashioned ROT13.
Email Spreading
The emails sent by Mydoom.G will contain one of the following subjects:
- For your eyes only
- micro$oft must die. support us!
- Micro$oft
- some stuff
- Your profile
- just some stuff
- See you soon
- Auto-reply
- Address verification
- Your account is about to be expired
- Your account is expired
- Expired account
- Bank information
- Registration rejected
- Rejected
- excuse me
- photo
- my photos
- Alert
- Warning
- Attention
- hey!
- read!!!
- i can tell you the future
- your chance
- please read
- corrupted
- missed
- unknown
- Microsoft
- join
- we're unable to process your request
- i need you
- Interesting
- we're experiencing technical problems
- Empty
- Automatic notification
- Reply
- beauty
- kleopatra
- kate
- dear friend!
- Response
- Request
- notification
- anna
- price list
- hey
- fw:
- re:
- question
- report
- how are you?
- :-)
- hello! :)
- hi! :)
- confirmed
- Email verification
- verification
- see you
- You have been successfully registered
- Please, confirm the registration
- Registration
- Your details
- Your account details
- service
- melissa
- maria
- pamela
- jessica
- your website
- your text
- your music
- your letter
- your archive
- thank you
- thanks
- thanks!
- your document
- my details
- here is the document
- here
- hello
- spreadsheet
- excel
- Your request
- do you still love me
- do you love me
- greetings
- hello my friend
- hi!
- account details
- your account
- from me
- Daily Report
- summary
- price-list
- pricelist
It might additionally contain any of the following:
- Re:
- Fw:
- Returned mail:
to the subject.
Message bodies are chosen from:
- Here it is
- Please, read and let me know what do you feel
- Full message is in the attached document
- Open the document
- Test
- Here is the document
- Please, reply
- Re:
- See you
- Okay
- Look at the attached file
- Look at the document
- Read this
- See the attached document
- See the attached message
- See attachment
- See attachemnt
- Read the document
- Details are in the attached document
- Hi! Check the attachment for details
- Your file is attached
- Your document is attached
- See the attached file for details
- Please read the attached file
- Please have a look at the attached file
- Here is the file
The attachment filename will be composed from combining the any of the following filenames:
- attachment
- Letter
- attach
- att
- file
- payment
- check
- bill
- stuff
- doc
- description
- information
- info
- msg
- paypal
- TextFile
- music
- MoreInfo
- misc
- AttachedFile
- note
- posting
- post
- object
- news
- readme
- text
- for_you
- pic
- letter
- document
- application
- all_document
- part2
- AttachedDocument
- message_part2
- details
- message_details
- message
- Document
- msg2
- more
- test
- TextDocument
- price
- reply
- response
- account
- problem
- found
- important
- archive
- nothing
and the following extensions:
- scr
- pif
- cmd
- exe
- bat
- com
Infection Payload
The worm will go through all the machines' drives and folder on them and performing the following actions on the found files.
Mydoom will harvest email addresses from files with the extensions:
- htm
- php
- txt
- sht
- pl
- asp
- mbx
- nch
- mmf
- eml
- msg
- dbx
- rtf
- uin
- tbb
- adb
- mht
- wab
If a file with extension PIF is found, it will overwrite 8 out of 10 times.
If the 'target' file has an extension among:
- wav
- mp3
- mp4
- wma
- avi
- jpg
- doc
- xls
With a probability of 95% it will copy itself to a filename with the same name as the 'target' file, plus an the extension 'EXE' 8 out of 10 times and 'SCR' otherwise.
DDoS Payload
Mydoom.G will attempt to launch a DDoS attack against Symantec. When performing the attack, it will try to connect to either symantec.com or www.symantec.com. It will launch from 8 up to 77 of threads, requesting Symantec's main page.