Store
|
Contact Norman
|
About Norman
|
Select location
Corporate
Norge
France
Deutschland
Sverige
Danmark
Suomi
Nederland
Schweiz
España
United States
United Kingdom
Italia
Proactive IT security
Home & Home office Small / Medium business Enterprise Our technology Security center Norman as a business partner Support   Partner web
Home
>
Security center
>
Virus descriptions
>
W32/MyDoom.AQ@mm
Norman SandBox center
Submit file for SandBox analysis
Search malware analysis database
View latest SandBox analysis
Malware statistics
Virus descriptions
Security articles - archive
Malware types
Threat level
Current virus threats
Security blog
Email statistics
Books, general white papers etc.

W32/MyDoom.AQ@mm

Threat risk

Threat risk medium
Detection files published: 17 Feb. 2005
Description created: 2005-02-17
Description updated: 2005-02-17
Malware type: Worm
Alias: W32.Mydoom.AX@mm (Symantec); WORM_MYDOOM.BB (Trend); W32/Mydoom.bb@MM (Mcafee); Email-Worm.Win32.Mydoom.m (Kaspersky)
Spreading mechanism Email
Payload: Installs backdoor trojan.
Summary

Another worm in the MyDoom series; file size usually 25771 bytes. This appears to be more or less a repackaging of an earlier variant, although small differences exist.

Spreading description
Email characteristics:

Subject: Variable
Body: Variable
Attachment: Variable

When the worm is first executed, it copies itself to the Windows folder using the name JAVA.EXE. In addition it extracts and installs a trojan with filename SERVICES.EXE in the same folder. Keys are created in registry to make sure these files are started from bootup.

It proceeds to gather email addresses, and send mails with itself as attachment, to these.

File system changes:

Creates file \JAVA.EXE
Creates file \SERVICES.EXE

Registry changes:

Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run JavaVM = \JAVA.EXE
Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services = \SERVICES.EXE
Creates key HKCU\Software\Microsoft\Windows\Daemon
Creates key HKLM\Software\Microsoft\Windows\Daemon

Email addresses are gathered from *.doc, *.txt, *.htm and *.html files present locally, as well as from web searches performed through Lycos, Altavista, Yahoo and Google. Emails are quite variable, based on combinations of strings found in the worm body.

Attachment is either an executable file with cmd, bat, com, exe, pif or scr extension, or a zip archive with the executable inside.

The worm attempts to download and install a backdoor trojan from http://www.aoprojecteden.org/xxxxremovedxxxx/modulelogo.png

Threat description

The worm installs a trojan horse, and also downloads another trojan horse and installs it. These trojans are already detected by Norman antivirus products as W32/Zincite.A and  W32/Nemog.D.

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Type Title Comment Usage
Norman Malware Cleaner    
Stopping network share infectors    
Cleaning of back-up folders on Windows Me and XP    
Print
Privacy policy
|
License agreement
|
Trademarks
|
Sitemap
FacebookTwitterYouTubeLinkedIn