Proactive IT Security

W32/MyDoom.AQ@mm

W32/MyDoom.AQ@mm

Threat risk

Threat risk medium
Detection files published:
17 Feb. 2005
Description created:
2005-02-17
Description updated:
2005-02-17
Malware type:
Worm
Alias:
W32.Mydoom.AX@mm (Symantec); WORM_MYDOOM.BB (Trend); W32/Mydoom.bb@MM (Mcafee); Email-Worm.Win32.Mydoom.m (Kaspersky)
Spreading mechanism
Email
Payload:
Installs backdoor trojan.

Summary

Another worm in the MyDoom series; file size usually 25771 bytes. This appears to be more or less a repackaging of an earlier variant, although small differences exist.

Spreading description

Email characteristics:

Subject: Variable
Body: Variable
Attachment: Variable

When the worm is first executed, it copies itself to the Windows folder using the name JAVA.EXE. In addition it extracts and installs a trojan with filename SERVICES.EXE in the same folder. Keys are created in registry to make sure these files are started from bootup.

It proceeds to gather email addresses, and send mails with itself as attachment, to these.

File system changes:

Creates file \JAVA.EXE
Creates file \SERVICES.EXE

Registry changes:

Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run JavaVM = \JAVA.EXE
Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services = \SERVICES.EXE
Creates key HKCU\Software\Microsoft\Windows\Daemon
Creates key HKLM\Software\Microsoft\Windows\Daemon

Email addresses are gathered from *.doc, *.txt, *.htm and *.html files present locally, as well as from web searches performed through Lycos, Altavista, Yahoo and Google. Emails are quite variable, based on combinations of strings found in the worm body.

Attachment is either an executable file with cmd, bat, com, exe, pif or scr extension, or a zip archive with the executable inside.

The worm attempts to download and install a backdoor trojan from http://www.aoprojecteden.org/xxxxremovedxxxx/modulelogo.png

Threat description

The worm installs a trojan horse, and also downloads another trojan horse and installs it. These trojans are already detected by Norman antivirus products as W32/Zincite.A and  W32/Nemog.D.

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page