Proactive IT security
 Home  News  Products & services  Virus & security  Support  Download  Partner  Purchase
Select country
Select product
Virus removal tool
Virus descriptions
Latest virus descriptions
Norman SandBox technology
List of detected viruses
Submit virus sample
Antivirus testfile
Virus warnings on your own web site
Security Information
Security News and Advisories
Security articles
Security blog
 SHORTCUTS:
Mailing list subscriptions
My Norman Bookmarks
Virus & security » Virus descriptions » W32/MyDoom.M@mm
W32/MyDoom.M@mm
Add to My Norman Bookmarks
W32/MyDoom.M@mm Destructivity: None Spreading: Medium Overall risk: Medium
Detected by virus detection files published: 16 Aug 2004
Virus characteristics first published: 16 Aug. 2004
Virus characteristics latest update: 03 Dec. 2004
Type: Worm
Alias: Win32.Mydoom.S [Computer Associates], W32/Mydoom.R@mm [F-secure], W32/Mydoom.s@MM [McAfee], W32/Mydoom.R.worm [Panda], W32/MyDoom-S [Sophos], W32.Mydoom.Q@mm [Symantec], WORM_RATOS.A [Trend Micro]
Spreading mechanism: Email
Overall risk: Medium
Type Spreading mechanism Destructivity & payload Additional descriptions Detection & removal

The following is a portion of the instant analysis done by the Norman Sandbox Technology:

 [ General information ]
    * Creating several executable files on hard-drive.
    * File length:        27136 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\rasor38a.dll.
    * Creates file C:\WINDOWS\SYSTEM\winpsd.exe.
    * Deletes file C:\WINDOWS\SYSTEM\winpsd.exe.
    * Creates file C:\WINDOWS\winvpn32.exe.

 [ Changes to registry ]
    * Reads SMTP Email Address in key "HKCU\Software\Microsoft\Internet Account Manager\Accounts\unreal".
    * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\Version".
    * Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\Version".
    * Creates value "winpsd"="C:\WINDOWS\SYSTEM\winpsd.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Sets value "InstaledFlashhMX"="" in key "HKCU\Software\Microsoft\Internet Explorer".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "CONFIGURED_DNS" on port 53 (UDP).
    * Downloads file from [webserver]/ispy.1.jpg as C:\WINDOWS\winvpn32.exe.
    * Connects to POP3 server on port 25 (TCP).
    * **Connects SMTP server.

 [ Network ]
    * **Uses IPHLPAPI services.

 [ Spreading through EMail ]
    * To     : [Harvested addresses]
    * From   : [SMTP address found in registry].
    * Subject: photos.
    * Mass-mailer; spreads through SMTP.

 [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to open C:\WINDOWS\winvpn32.exe .

Write-up by Trygve Brox  

 
CURRENT VIRUS THREATS
Medium risk
15 Aug 08 AntiVirus 2008
24 Oct 07 Pidief.A
24 Jan 07 Tibs
25 Sep 06 Stration
18 Jan 06 Small.KI
12 Sep 05 Bagle.CS
17 Aug 05 Zotob.B
08 Jun 05 Mytob
17 Feb 05 MyDoom.AQ
26 Jul 04 MyDoom.L
25 Mar 04 Netsky.P
Low risk
05 Mar 07 Viking.GT
27 Jan 06 Feebs
16 Jan 05 MyDoom.AH
22 Apr 04 SDBot
30 Mar 04 Netsky.Q
Latest virus definition file published
>> 2008-10-10
Security Information
>> Clickjacking - a new danger or an innovational new name?
>> The Internet Crime Complaint Center's report for 2007
Security News and Advisories
>> Four critical updates for Microsoft systems in September 2008
>> Six critical updates for Microsoft systems in August 2008
Norman is one of the world’s leading companies within the field of data security. With products for antivirus (virus control), personal firewall, antispam, and encryption, the company plays an important role in the data industry.