Proaktive IT-Sicherheit

W32/MyDoom.L@mm

W32/MyDoom.L@mm

Threat risk

Threat risk medium
Detection files published:
26-July-2004
Description created:
2004-07-26
Description updated:
2004-07-26
Malware type:
Worm
Alias:
Spreading mechanism
Email
Payload:

Summary

W32/MyDoom.L@mm is a mass mailing worm compressed using UPX. Filesizes may vary as the worm appends random data to itself, but samples seem to be at least 28kbytes.

Spreading description

Email characteristics:

Subject: Variable
Body:

Variable


Attachment: Variable
MyDoom.L starts by copying itself to the following locations:
  • %WINDIR%\services.exe
  • %TEMP%\services.exe
  • %WINDIR%\java.exe
It may also create the following files during execution:
  • %TEMP%\zincite.log
  • %TEMP%\tmp0009.TMP
  • %TEMP%\tmp9000.TMP
  • %TEMP%\tmp0009.TMP
  • %TEMP%\tmp9000.TMP
The worm then creates two registry values to ensure it is started with Windows:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM = C:\WINDOWS\java.exe
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services = C:\WINDOWS\services.exe
MyDoom.L may also create the following registry keys, which are used as infection markers:
  • HKLM\Software\Microsoft\Daemon
  • HKCU\Software\Microsoft\Daemon
The worm then harvests email addresses from files with these extensions:
  • .doc
  • .txt
  • .htm
  • .html
The worm will avoid email addresses containing any of these strings:
  • mailer-d
  • spam
  • abuse
  • master
  • sample
  • accoun
  • privacycertific
  • bugs
  • listserv
  • submit
  • ntivi
  • support
  • admin
  • page
  • the.bat
  • gold-certs
  • feste
  • not
  • help
  • foo
  • soft
  • site
  • rating
  • you
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • info
  • winrar
  • winzip
  • rarsoft
  • sf.net
  • sourceforge
  • ripe.
  • arin.
  • google
  • gnu.
  • gmail
  • seclist
  • secur
  • bar.
  • foo.com
  • trend
  • update
  • uslis
  • domain
  • example
  • sophos
  • yahoo
  • spersk
  • panda
  • hotmail
  • msn.
  • msdn.
  • microsoft
  • sarc.
  • syma
  • avp
Once MyDoom has harvested addresses it will start its mass mailing routine. Mails may have the following characteristics:

From

  • "Postmaster"
  • "Mail Administrator"
  • "Automatic Email Delivery Software"
  • "Post Office"
  • "The Post Office"
  • "Bounced mail"
  • "Returned mail"
  • "MAILER-DAEMON"
  • "Mail Delivery Subsystem"

Subject

  • hello
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error

Body

The body is created using portions of the following template:
  • {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
  • {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
  • {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
  • {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
  • {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
  • {$T {user |technical |}support team.|The $T {support |}team.}   {The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
  • Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura-tion parameters.
  • Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.
  • Your message {was not|could not be} delivered within $D days:
  • {{{Mail s|S}erver}|Host} $i is not responding.
  • The following recipients {did|could} not receive this message:<$t>
  • Please reply to postmaster@{$F|$T}
  • if you feel this message to be in error.  The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}

Attachment

Attachments are constructed using the following filenames:
  • readme
  • instruction
  • transcript
  • mail
  • letter
  • file
  • text
  • attachment
  • document
  • message
  • postmaster
And may have the following extension:
  • .cmd
  • .bat
  • .com
  • .exe
  • .pif
  • .scr

Threat description

W32/MyDoom.L@mm will drop a backdoor component in the %WINDOWS% folder called services.exe. This opens port 1034 on the infected machine.

Removal

W32/MyDoom.L@mm is detected and removed with definition files later than 26-July-2004. The worm was also detected proactively as W32/EMailWorm by Norman Sandbox.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Verwendung Titel Kommentar
  Schluss mit Viren auf Netzwerk-Shares  
  Cleaning of back-up folders on Windows Me and XP  
Seite drucken