Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Mydoom.BV
Date discovered:13/12/2012
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:79.360 Bytes
MD5 checksum:89f96f14b3aa2e374c7821691b64eb16
VDF version:7.11.53.216
Heuristic:Heuristic/Trojan.Downloader

 General Method of propagation:
   • Email
   • Local network


Aliases:
   •  Mcafee: W32/Mydoom
   •  Kaspersky: Net-Worm.Win32.Mytob.ck
   •  TrendMicro: WORM_MYTOB.JT
   •  Sophos: W32/MyDoom-Gen


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\services.exe
   • %WINDIR%\nb32ext3.exe
   • %WINDIR%\msdefr.exe



It deletes the following file:
   • %PROGRAM FILES%\MSN Messenger\MsnMsgr.Exe

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "RPCserv32g"="%WINDIR%\services.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "helloworld"="nb32ext3.exe"



The following registry keys are added:

[HKLM\SOFTWARE\Microsoft\Internet Explorer]
   • "fdfg" = dword:00000001

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   • "Start" = dword:00000004

[HKCU\SOFTWARE\Microsoft\Internet Explorer]
   • "IEPsdgxc" = dword:00000001

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]
   • "DisableRegistryTools" = dword:00000000

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]
   • "DisableRegistryTools" = dword:00000000



The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Userinit"="%SYSDIR%\userinit.exe,
   New value:
   • "Userinit"="%SYSDIR%\userinit.exe,%WINDIR%\services.exe,"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
 Gathered addesses by contacting search engines


Subject:
One of the following:
   • Accounts department; Ahtung!; Camila; Daily activity report; delivery;
      Delivery reports about your e/-mail; Ello!; error; failed; Flayers
      among us; Freedom for everyone; From Hair-cutter; From me; Greet the
      day; Hardware devices price-list; hello; Hello my friend; hi; Hi!;
      Jenny; Jessica; Looking for the report; Mail System Error - Returned
      Mail; Maria; Melissa; Message could not be delivered; Monthly
      incomings summary; New Price-list; Price; Price list; Pricelist;
      Price-list; Proclivity to servitude; Registration confirmation;
      report; Returned mail: Data format error; Returned mail: see
      transcript for details; status; The account; The employee; The
      summary; USA government abolishes the capital punishment; Weekly
      activity report; Well...; You are dismissed; You really love me? he
      he; Your Message could not be delivered

In some cases the subject might also be empty.


Body:
In some cases it may be empty.


The body of the email is one of the lines:
   • Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
   • To unblock your email account acces, please see the attachment.
   • Follow the instructions in the attachment.
   • We have suspended some of your email services, to resolve the problem you should read the attached document.
   • To safeguard your email account from possible termination, please see the attached file.
   • please look at attached document.
   • Account Information Are Attached!
   • Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
   • The original message has been included as an attachment.
   • We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
   • We attached some important information regarding your account.
   • Please read the attached document and follow it's instructions.
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
   • The message contains Unicode characters and has been sent as a binary attachment.
   • test
   • Cya
   • Empty
   • Everything inside the attach
   • Look it through
   • Subj
   • Request
   • Response
   • Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
   • To unblock your email account acces, please see the attachment.
   • Follow the instructions in the attachment.
   • We have suspended some of your email services, to resolve the problem you should read the attached document.
   • To safeguard your email account from possible termination, please see the attached file.
   • please look at attached document.
   • Account Information Are Attached!
   • Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
   • The original message has been included as an attachment.
   • We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
   • We attached some important information regarding your account.
   • Please read the attached document and follow it's instructions.
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
   • The message contains Unicode characters and has been sent as a binary attachment.
   • Attached some pics that i found
   • Check this out :-)
   • Hello,
   • I was going through my album, and look what I found..
   • Long time! Check this out!
   • Osama Bin Laden Captured.
   • Remember this?
   • Saddam Hussein - Attempted Escape, Shot dead
   • Secret!
   • Testing


Attachment:
The filename of the attachment is one of the following:
   • accepted-password.zip; account_info.zip; account-details.zip;
      account-details.zip; account-password.zip; account-report.zip;
      approved-password.zip; attachment.zip; billing_info.zip; bush.zip;
      document.zip; document_full.zip; email-details.zip; email-doc.zip;
      email-info.zip; email-password.zip; funny.zip; important-details.zip;
      information.zip; info-text.zip; instruction.zip; instructions.zip;
      job.zip; joke.zip; letter.zip; mail.zip; message.zip; message.zip;
      new-password.zip; password.zip; payment.zip; pics.zip; price2005.zip;
      readme.zip; secret.zip; test.zip; text.zip; transcript.zip;
      updated-password.zip; work.zip; your-details.zip



The email may look like one of the following:



 Mailing Search addresses:
It searches the following files for email addresses:
   • asp; cgi; dbx; dht; eml; htm; html; jsp; mbx; mht; msg; php; sht; stm;
      tbb; uin; wab


Address generation for FROM field:
To generate addresses it uses the following strings:
   • postmaster; MAILER/-DAEMON; noreply; %FAILED_DELIVER_FROM%;
      Postmaster; Mail Administrator; Automatic Email Delivery Software;
      Post Office; The Post Office; Bounced mail; Returned mail;
      MAILER/-DAEMON; Mail Delivery Subsystem

It combines the result with domains that were found in files, which were previously searched for addresses.


Address generation for FROM field:
To generate addresses it uses the following strings:
   • James; John; Robert; Michael; William; David; Richard; Charles;
      Joseph; Thomas; Christopher; Daniel; Paul; Mark; Donald; George;
      Kenneth; Steven; Edward; Brian; Ronald; Anthony; Kevin; Jason;
      Matthew; Gary; Timothy; Jose; Larry; Jeffrey; Frank; Scott; Eric;
      Stephen; Andrew; Raymond; Gregory; Joshua; Jerry; Dennis; Walter;
      Patrick; Peter; Harold; Douglas; Henry; Carl; Arthur; Ryan; Roger;
      Joe; Juan; Jack; Albert; Jonathan; Justin; Terry; Gerald; Keith;
      Samuel; Willie; Ralph; Lawrence; Nicholas; Roy; Benjamin; Bruce;
      Brandon; Adam; Harry; Fred; Wayne; Billy; Steve; Louis; Jeremy; Aaron;
      Randy; Howard; Eugene; Carlos; Russell; Bobby; Victor; Martin; Ernest;
      Phillip; Todd; Jesse; Craig; Alan; Shawn; Clarence; Sean; Philip;
      Chris; Johnny; Earl; Jimmy; Antonio; Danny; Bryan; Tony; Luis; Mike;
      Stanley; Leonard; Nathan; Dale; Manuel; Rodney; Curtis; Norman; Allen;
      Marvin; Vincent; Glenn; Jeffery; Travis; Jeff; Chad; Jacob; Lee;
      Melvin; Alfred; Kyle; Francis; Bradley; Jesus; Herbert; Frederick;
      Ray; Joel; Edwin; Don; Eddie; Ricky; Troy; Randall; Barry; Alexander;
      Bernard; Mario; Leroy; Francisco; Marcus; Micheal; Theodore; Clifford;
      Miguel; Oscar; Jay; Jim; Tom; Calvin; Alex; Jon; Ronnie; Bill; Lloyd;
      Tommy; Leon; Derek; Warren; Darrell; Jerome; Floyd; Leo; Alvin; Tim;
      Wesley; Gordon; Dean; Greg; Jorge; Dustin; Pedro; Derrick; Dan; Lewis;
      Zachary; Corey; Herman; Maurice; Vernon; Roberto; Clyde; Glen; Hector;
      Shane; Ricardo; Sam; Rick; Lester; Brent; Ramon; Charlie; Tyler;
      Gilbert; Gene; Marc; Reginald; Ruben; Brett; Angel; Nathaniel; Rafael;
      Leslie; Edgar; Milton; Raul; Ben; Chester; Cecil; Duane; Franklin;
      Andre; Elmer; Brad; Gabriel; Ron; Mitchell; Roland; Arnold; Harvey;
      Jared; Adrian; Karl; Cory; Claude; Erik; Darryl; Jamie; Neil; Jessie;
      Christian; Javier; Fernando; Clinton; Ted; Mathew; Tyrone; Darren;
      Lonnie; Lance; Cody; Julio; Kelly; Kurt; Allan; Nelson; Guy; Clayton;
      Hugh; Max; Dwayne; Dwight; Armando; Felix; Jimmie; Everett; Jordan;
      Ian; Wallace; Ken; Bob; Jaime; Casey; Alfredo; Alberto; Dave; Ivan;
      Johnnie; Sidney; Byron; Julian; Isaac; Morris; Clifton; Willard;
      Daryl; Ross; Virgil; Andy; Marshall; Salvador; Perry; Kirk; Sergio;
      Marion; Tracy; Seth; Kent; Terrance; Rene; Eduardo; Terrence; Enrique;
      Freddie; Wade; Austin; Stuart; Fredrick; Arturo; Alejandro; Jackie;
      Joey; Nick; Luther; Wendell; Jeremiah; Evan; Julius; Dana; Donnie;
      Otis; Shannon; Trevor; Oliver; Luke; Homer; Gerard; Doug; Kenny;
      Hubert; Angelo; Shaun; Lyle; Matt; Lynn; Alfonso; Orlando; Rex;
      Carlton; Ernesto; Cameron; Neal; Pablo; Lorenzo; Omar; Wilbur; Blake;
      Grant; Horace; Roderick; Kerry; Abraham; Willis; Rickey; Jean; Ira;
      Andres; Cesar; Johnathan; Malcolm; Rudolph; Damon; Kelvin; Rudy;
      Preston; Alton; Archie; Marco; Pete; Randolph; Garry; Geoffrey;
      Jonathon; Felipe; Bennie; Gerardo; Dominic; Robin; Loren; Delbert;
      Colin; Guillermo; Earnest; Lucas; Benny; Noel; Spencer; Rodolfo;
      Myron; Edmund; Garrett; Salvatore; Cedric; Lowell; Gregg; Sherman;
      Wilson; Devin; Sylvester; Kim; Roosevelt; Israel; Jermaine; Forrest;
      Wilbert; Leland; Simon; Guadalupe; Clark; Irving; Carroll; Bryant;
      Owen; Rufus; Woodrow; Sammy; Kristopher; Mack; Levi; Marcos; Gustavo;
      Jake; Lionel; Marty; Taylor; Ellis; Dallas; Gilberto; Clint; Nicolas;
      Laurence; Ismael; Orville; Drew; Jody; Ervin; Dewey; Wilfred; Josh;
      Hugo; Ignacio; Caleb; Tomas; Sheldon; Erick; Frankie; Stewart; Doyle;
      Darrel; Rogelio; Terence; Santiago; Alonzo; Elias; Bert; Elbert;
      Ramiro; Conrad; Pat; Noah; Grady; Phil; Cornelius; Lamar; Rolando;
      Clay; Percy; Dexter; Bradford; Merle; Darin; Amos; Terrell; Moses;
      Irvin; Saul; Roman; Darnell; Randal; Tommie; Timmy; Darrin; Winston;
      Brendan; Toby; Van; Abel; Dominick; Boyd; Courtney; Jan; Emilio;
      Elijah; Cary; Domingo; Santos; Aubrey; Emmett; Marlon; Emanuel;
      Jerald; Edmond

It may combine the first string with one of the following:
   • Smith; Johnson; Williams; Jones; Brown; Davis; Miller; Wilson; Moore;
      Taylor; Anderson; Thomas; Jackson; White; Harris; Martin; Thompson;
      Garcia; Martinez; Robinson; Clark; Rodriguez; Lewis; Walker; Allen;
      Young; Hernandez; Wright; Lopez; Scott; Green; Adams; Baker; Gonzalez;
      Nelson; Carter; Mitchell; Perez; Roberts; Turner; Phillips; Campbell;
      Parker; Evans; Edwards; Collins; Stewart; Sanchez; Morris; Rogers;
      Morgan; Murphy; Bailey; Rivera; Cooper; Richardson; Howard; Torres;
      Peterson; Ramirez; James; Watson; Brooks; Kelly; Sanders; Price;
      Bennett; Barnes; Henderson; Coleman; Jenkins; Perry; Powell;
      Patterson; Hughes; Flores; Washington; Butler; Simmons; Foster;
      Gonzales; Bryant; Alexander; Russell; Griffin; Hayes; Myers; Hamilton;
      Graham; Sullivan; Wallace; Woods; Jordan; Owens; Reynolds; Fisher;
      Ellis; Harrison; Gibson; Mcdonald; Marshall; Ortiz; Gomez; Murray;
      Freeman; Wells; Simpson; Stevens; Tucker; Porter; Hunter; Hicks;
      Crawford; Henry; Mason; Morales; Kennedy; Warren; Dixon; Ramos; Reyes;
      Burns; Gordon; Holmes; Robertson; Black; Daniels; Palmer; Mills;
      Nichols; Grant; Knight; Ferguson; Stone; Hawkins; Perkins; Hudson;
      Spencer; Gardner; Stephens; Payne; Pierce; Berry; Matthews; Arnold;
      Wagner; Willis; Watkins; Olson; Carroll; Duncan; Snyder; Cunningham;
      Bradley; Andrews; Harper; Riley; Armstrong; Carpenter; Weaver; Greene;
      Lawrence; Elliott; Chavez; Austin; Peters; Kelley; Franklin; Lawson;
      Fields; Gutierrez; Schmidt; Vasquez; Castillo; Wheeler; Chapman;
      Oliver; Montgomery; Richards; Williamson; Johnston; Banks; Meyer;
      Bishop; Mccoy; Howell; Alvarez; Morrison; Hansen; Fernandez; Garza;
      Harvey; Little; Burton; Stanley; Nguyen; George; Jacobs; Fuller;
      Lynch; Gilbert; Garrett; Romero; Welch; Larson; Frazier; Burke;
      Hanson; Mendoza; Moreno; Bowman; Medina; Fowler; Brewer; Hoffman;
      Carlson; Silva; Pearson; Holland; Douglas; Fleming; Jensen; Vargas;
      Davidson; Hopkins; Terry; Herrera; Walters; Curtis; Caldwell;
      Jennings; Barnett; Graves; Jimenez; Horton; Shelton; Barrett; Obrien;
      Castro; Sutton; Gregory; Mckinney; Lucas; Miles; Craig; Rodriquez;
      Chambers; Lambert; Fletcher; Watts; Bates; Rhodes; Newman; Haynes;
      Mcdaniel; Mendez; Vaughn; Parks; Dawson; Santiago; Norris; Hardy;
      Steele; Curry; Powers; Schultz; Barker; Guzman; Munoz; Keller;
      Chandler; Weber; Leonard; Walsh; Lyons; Ramsey; Wolfe; Schneider;
      Mullins; Benson; Sharp; Bowen; Daniel; Barber; Cummings; Hines;
      Baldwin; Griffith; Valdez; Hubbard; Salazar; Reeves; Warner;
      Stevenson; Burgess; Santos; Cross; Garner; Thornton; Dennis; Mcgee;
      Farmer; Delgado; Aguilar; Glover; Manning; Cohen; Harmon; Rodgers;
      Robbins; Newton; Blair; Higgins; Ingram; Reese; Cannon; Strickland;
      Townsend; Potter; Goodwin; Walton; Hampton; Ortega; Patton; Swanson;
      Joseph; Francis; Goodman; Maldonado; Yates; Becker; Erickson; Hodges;
      Conner; Adkins; Webster; Norman; Malone; Hammond; Flowers; Moody;
      Quinn; Blake; Maxwell; Floyd; Osborne; Mccarthy; Guerrero; Lindsey;
      Estrada; Sandoval; Gibbs; Tyler; Gross; Fitzgerald; Stokes; Doyle;
      Sherman; Saunders; Colon; Alvarado; Greer; Padilla; Simon; Waters;
      Nunez; Ballard; Schwartz; Mcbride; Houston; Christensen; Klein; Pratt;
      Briggs; Parsons; Mclaughlin; Zimmerman; French; Buchanan; Moran;
      Copeland; Pittman; Brady; Mccormick; Holloway; Brock; Poole; Frank;
      Logan; Marsh; Drake; Jefferson; Morton; Abbott; Sparks; Patrick;
      Norton; Clayton; Massey; Lloyd; Figueroa; Carson; Bowers; Roberson;
      Barton; Harrington; Casey; Boone; Cortez; Clarke; Mathis; Singleton;
      Wilkins; Bryan; Underwood; Hogan; Mckenzie; Collier; Phelps; Mcguire;
      Allison; Bridges; Wilkerson; Summers; Atkins

It combines the result with domains that were found in files, which were previously searched for addresses.

The domain is one of the following:
   • dailymail.co.uk; mail.com; hotmail.com; gmx.net; yahoo.co.uk;
      1access.net; a1isp.net; accessus.net; address.com; ameralinx.net;
      aol.com; apci.net; arczip.com; aristotle.net; att.net; cableone.net;
      cais.com; canada.com; cayuse.net; ccp.com; ccpc.net; chello.com;
      compuserve.com; core.com; cox.net; cybernex.net; dialupnet.com;
      earthlink.net; eclipse.net; eisa.com; ev1.net; excite.com; fast.net;
      fcc.net; flex.com; gbronline.com; globalbiz.net; globetrotter.net;
      highstream.net; hiwaay.net; ieway.com; inext.fr; infoave.net;
      iquest.net; isp.com; ispwest.com; istep.com; juno.com; loa.com;
      macconnect.com; madriver.com; msn.com; nccw.net; netcenter.com;
      netrox.net; netzero.net; pacific.net.sg; palm.net; pathlink.com;
      peoplepc.com; pics.com; rcn.com; ricochet.com; surfree.com;
      t/-online.com; t/-online.de; tiscali.com; toad.net; ultimanet.com;
      verizon.net; wanadoo.com; worldcom.com; worldshare.net; wwc.com;
      yahoo.com; ziplink.net

Here you can find examples of generated addresses:
   • Wilkerson@ziplink.net
   • Allison@worldshare.net


Search Engine:
In order to gather more email addresses it contacts the following search engines:
   • http://www.google.com
   • http://www.accoona.com

Queries to aforementioned contain keywords as:
   • From:
   • To:
   • Subject:

Queries may contain the following forenames:
   • Aaron; Abel; Abraham; Adam; Adrian; Alan; Albert; Alberto; Alejandro;
      Alex; Alexander; Alfonso; Alfred; Alfredo; Allan; Allen; Alonzo;
      Alton; Alvin; Amos; Andre; Andres; Andrew; Andy; Angel; Angelo;
      Anthony; Antonio; Archie; Armando; Arnold; Arthur; Arturo; Aubrey;
      Austin; Barry; Ben; Benjamin; Bennie; Benny; Bernard; Bert; Bill;
      Billy; Blake; Bob; Bobby; Boyd; Brad; Bradford; Bradley; Brandon;
      Brendan; Brent; Brett; Brian; Bruce; Bryan; Bryant; Byron; Caleb;
      Calvin; Cameron; Carl; Carlos; Carlton; Carroll; Cary; Casey; Cecil;
      Cedric; Cesar; Chad; Charles; Charlie; Chester; Chris; Christian;
      Christopher; Clarence; Clark; Claude; Clay; Clayton; Clifford;
      Clifton; Clint; Clinton; Clyde; Cody; Colin; Conrad; Corey; Cornelius;
      Cory; Courtney; Craig; Curtis; Dale; Dallas; Damon; Dan; Dana; Daniel;
      Danny; Darin; Darnell; Darrel; Darrell; Darren; Darrin; Darryl; Daryl;
      Dave; David; Dean; Delbert; Dennis; Derek; Derrick; Devin; Dewey;
      Dexter; Domingo; Dominic; Dominick; Don; Donald; Donnie; Doug;
      Douglas; Doyle; Drew; Duane; Dustin; Dwayne; Dwight; Earl; Earnest;
      Eddie; Edgar; Edmond; Edmund; Eduardo; Edward; Edwin; Elbert; Elias;
      Elijah; Ellis; Elmer; Emanuel; Emilio; Emmett; Enrique; Eric; Erick;
      Erik; Ernest; Ernesto; Ervin; Eugene; Evan; Everett; Felipe; Felix;
      Fernando; Floyd; Forrest; Francis; Francisco; Frank; Frankie;
      Franklin; Fred; Freddie; Frederick; Fredrick; Gabriel; Garrett; Garry;
      Gary; Gene; Geoffrey; George; Gerald; Gerard; Gerardo; Gilbert;
      Gilberto; Glen; Glenn; Gordon; Grady; Grant; Greg; Gregg; Gregory;
      Guadalupe; Guillermo; Gustavo; Guy; Harold; Harry; Harvey; Hector;
      Henry; Herbert; Herman; Homer; Horace; Howard; Hubert; Hugh; Hugo;
      Ian; Ignacio; Ira; Irvin; Irving; Isaac; Ismael; Israel; Ivan; Jack;
      Jackie; Jacob; Jaime; Jake; James; Jamie; Jan; Jared; Jason; Javier;
      Jay; Jean; Jeff; Jeffery; Jeffrey; Jerald; Jeremiah; Jeremy; Jermaine;
      Jerome; Jerry; Jesse; Jessie; Jesus; Jim; Jimmie; Jimmy; Jody; Joe;
      Joel; Joey; John; Johnathan; Johnnie; Johnny; Jon; Jonathan; Jonathon;
      Jordan; Jorge; Jose; Joseph; Josh; Joshua; Juan; Julian; Julio;
      Julius; Justin; Karl; Keith; Kelly; Kelvin; Ken; Kenneth; Kenny; Kent;
      Kerry; Kevin; Kim; Kirk; Kristopher; Kurt; Kyle; Lamar; Lance; Larry;
      Laurence; Lawrence; Lee; Leland; Leo; Leon; Leonard; Leroy; Leslie;
      Lester; Levi; Lewis; Lionel; Lloyd; Lonnie; Loren; Lorenzo; Louis;
      Lowell; Lucas; Luis; Luke; Luther; Lyle; Lynn; Mack; Malcolm; Manuel;
      Marc; Marco; Marcos; Marcus; Mario; Marion; Mark; Marlon; Marshall;
      Martin; Marty; Marvin; Mathew; Matt; Matthew; Maurice; Max; Melvin;
      Merle; Michael; Micheal; Miguel; Mike; Milton; Mitchell; Morris;
      Moses; Myron; Nathan; Nathaniel; Neal; Neil; Nelson; Nicholas; Nick;
      Nicolas; Noah; Noel; Norman; Oliver; Omar; Orlando; Orville; Oscar;
      Otis; Owen; Pablo; Pat; Patrick; Paul; Pedro; Percy; Perry; Pete;
      Peter; Phil; Philip; Phillip; Preston; Rafael; Ralph; Ramiro; Ramon;
      Randal; Randall; Randolph; Randy; Raul; Ray; Raymond; Reginald; Rene;
      Rex; Ricardo; Richard; Rick; Rickey; Ricky; Robert; Roberto; Robin;
      Roderick; Rodney; Rodolfo; Rogelio; Roger; Roland; Rolando; Roman;
      Ron; Ronald; Ronnie; Roosevelt; Ross; Roy; Ruben; Rudolph; Rudy;
      Rufus; Russell; Ryan; Salvador; Salvatore; Sam; Sammy; Samuel;
      Santiago; Santos; Saul; Scott; Sean; Sergio; Seth; Shane; Shannon;
      Shaun; Shawn; Sheldon; Sherman; Sidney; Simon; Spencer; Stanley;
      Stephen; Steve; Steven; Stewart; Stuart; Sylvester; Taylor; Ted;
      Terence; Terrance; Terrell; Terrence; Terry; Theodore; Thomas; Tim;
      Timmy; Timothy; Toby; Todd; Tom; Tomas; Tommie; Tommy; Tony; Tracy;
      Travis; Trevor; Troy; Tyler; Tyrone; Van; Vernon; Victor; Vincent;
      Virgil; Wade; Wallace; Walter; Warren; Wayne; Wendell; Wesley;
      Wilbert; Wilbur; Wilfred; Willard; William; Willie; Willis; Wilson;
      Winston; Woodrow; Zachary

Queries may contain the following surnames:
   • Abbott; Adams; Adkins; Aguilar; Alexander; Allen; Allison; Alvarado;
      Alvarez; Anderson; Andrews; Armstrong; Arnold; Atkins; Austin; Bailey;
      Baker; Baldwin; Ballard; Banks; Barber; Barker; Barnes; Barnett;
      Barrett; Barton; Bates; Becker; Bennett; Benson; Berry; Bishop; Black;
      Blair; Blake; Boone; Bowen; Bowers; Bowman; Bradley; Brady; Brewer;
      Bridges; Briggs; Brock; Brooks; Brown; Bryan; Bryant; Buchanan;
      Burgess; Burke; Burns; Burton; Butler; Caldwell; Campbell; Cannon;
      Carlson; Carpenter; Carroll; Carson; Carter; Casey; Castillo; Castro;
      Chambers; Chandler; Chapman; Chavez; Christensen; Clark; Clarke;
      Clayton; Cohen; Coleman; Collier; Collins; Colon; Conner; Cooper;
      Copeland; Cortez; Craig; Crawford; Cross; Cummings; Cunningham; Curry;
      Curtis; Daniel; Daniels; Davidson; Davis; Dawson; Delgado; Dennis;
      Dixon; Douglas; Doyle; Drake; Duncan; Edwards; Elliott; Ellis;
      Erickson; Estrada; Evans; Farmer; Ferguson; Fernandez; Fields;
      Figueroa; Fisher; Fitzgerald; Fleming; Fletcher; Flores; Flowers;
      Floyd; Foster; Fowler; Francis; Frank; Franklin; Frazier; Freeman;
      French; Fuller; Garcia; Gardner; Garner; Garrett; Garza; George;
      Gibbs; Gibson; Gilbert; Glover; Gomez; Gonzales; Gonzalez; Goodman;
      Goodwin; Gordon; Graham; Grant; Graves; Green; Greene; Greer; Gregory;
      Griffin; Griffith; Gross; Guerrero; Gutierrez; Guzman; Hamilton;
      Hammond; Hampton; Hansen; Hanson; Hardy; Harmon; Harper; Harrington;
      Harris; Harrison; Harvey; Hawkins; Hayes; Haynes; Henderson; Henry;
      Hernandez; Herrera; Hicks; Higgins; Hines; Hodges; Hoffman; Hogan;
      Holland; Holloway; Holmes; Hopkins; Horton; Houston; Howard; Howell;
      Hubbard; Hudson; Hughes; Hunter; Ingram; Jackson; Jacobs; James;
      Jefferson; Jenkins; Jennings; Jensen; Jimenez; Johnson; Johnston;
      Jones; Jordan; Joseph; Keller; Kelley; Kelly; Kennedy; Klein; Knight;
      Lambert; Larson; Lawrence; Lawson; Leonard; Lewis; Lindsey; Little;
      Lloyd; Logan; Lopez; Lucas; Lynch; Lyons; Maldonado; Malone; Manning;
      Marsh; Marshall; Martin; Martinez; Mason; Massey; Mathis; Matthews;
      Maxwell; Mcbride; Mccarthy; Mccormick; Mccoy; Mcdaniel; Mcdonald;
      Mcgee; Mcguire; Mckenzie; Mckinney; Mclaughlin; Medina; Mendez;
      Mendoza; Meyer; Miles; Miller; Mills; Mitchell; Montgomery; Moody;
      Moore; Morales; Moran; Moreno; Morgan; Morris; Morrison; Morton;
      Mullins; Munoz; Murphy; Murray; Myers; Nelson; Newman; Newton; Nguyen;
      Nichols; Norman; Norris; Norton; Nunez; Obrien; Oliver; Olson; Ortega;
      Ortiz; Osborne; Owens; Padilla; Palmer; Parker; Parks; Parsons;
      Patrick; Patterson; Patton; Payne; Pearson; Perez; Perkins; Perry;
      Peters; Peterson; Phelps; Phillips; Pierce; Pittman; Poole; Porter;
      Potter; Powell; Powers; Pratt; Price; Quinn; Ramirez; Ramos; Ramsey;
      Reese; Reeves; Reyes; Reynolds; Rhodes; Richards; Richardson; Riley;
      Rivera; Robbins; Roberson; Roberts; Robertson; Robinson; Rodgers;
      Rodriguez; Rodriquez; Rogers; Romero; Russell; Salazar; Sanchez;
      Sanders; Sandoval; Santiago; Santos; Saunders; Schmidt; Schneider;
      Schultz; Schwartz; Scott; Sharp; Shelton; Sherman; Silva; Simmons;
      Simon; Simpson; Singleton; Smith; Snyder; Sparks; Spencer; Stanley;
      Steele; Stephens; Stevens; Stevenson; Stewart; Stokes; Stone;
      Strickland; Sullivan; Summers; Sutton; Swanson; Taylor; Terry; Thomas;
      Thompson; Thornton; Torres; Townsend; Tucker; Turner; Tyler;
      Underwood; Valdez; Vargas; Vasquez; Vaughn; Wagner; Walker; Wallace;
      Walsh; Walters; Walton; Warner; Warren; Washington; Waters; Watkins;
      Watson; Watts; Weaver; Weber; Webster; Welch; Wells; Wheeler; White;
      Wilkerson; Wilkins; Williams; Williamson; Willis; Wilson; Wolfe;
      Woods; Wright; Yates; Young; Zimmerman



Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • syman; icrosof; panda; sopho; borlan; inpris; example; mydomai;
      nodomai; ruslis; icrosoft; @foo.; @iana; linux; antivi; messagelabs;
      support; berkeley; mit.e; ibm.com; google; kernel; linux; usenet;
      rfc-ed; sendmail; arin.; ripe.; isi.e; isc.o; secur; acketst;
      tanford.e; utgers.ed; mozilla; icq.com; admin; icrosoft; support;
      ntivi; linux; listserv; certific; google; accoun; abuse; upport;
      samples; postmaster; rating; webmaster; noone; noreply; nobody;
      nothing; anyone; someone; rating; contact; support; somebody; privacy;
      service; submit; feste; gold-certs

 Network Infection Exploit:
It makes use of the following Exploit:
– MS05-039 (Vulnerability in Plug and Play)

 Hosts The host file is modified as explained:

In this case existing entries are deleted.

Access to the following domains is effectively blocked:
   • avp.com
   • ca.com
   • customer.symantec.com
   • dispatch.mcafee.com
   • download.mcafee.com
   • downloads-eu1.kaspersky-labs.com
   • downloads-us1.kaspersky-labs.com
   • downloads1.kaspersky-labs.com
   • downloads2.kaspersky-labs.com
   • downloads3.kaspersky-labs.com
   • downloads4.kaspersky-labs.com
   • f-secure.com
   • kaspersky-labs.com
   • kaspersky.com
   • liveupdate.symantec.com
   • liveupdate.symantecliveupdate.com
   • mast.mcafee.com
   • mcafee.com
   • microsoft.com
   • my-etrust.com
   • nai.com
   • networkassociates.com
   • oxyd.fr
   • pandasoftware.com
   • rads.mcafee.com
   • secure.nai.com
   • securityresponse.symantec.com
   • sophos.com
   • symantec.com
   • t35.com
   • t35.net
   • trendmicro.com
   • update.symantec.com
   • updates.symantec.com
   • us.mcafee.com
   • viruslist.com
   • virustotal.com
   • www.avp.com
   • www.ca.com
   • www.f-secure.com
   • www.grisoft.com
   • www.kaspersky.com
   • www.mcafee.com
   • www.microsoft.com
   • www.my-etrust.com
   • www.nai.com
   • www.networkassociates.com
   • www.oxyd.fr
   • www.pandasoftware.com
   • www.sophos.com
   • www.symantec.com
   • www.t35.com
   • www.t35.net
   • www.trendmicro.com
   • www.viruslist.com
   • www.virustotal.com




The modified host file will look like this:


 Process termination It tries to terminate the following processes and delete the corresponding files:
   • _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; ackdoor.rbot.gen_(17).exe;
      ATUPDATER.EXE; ATUPDATER.EXE; AUPDATE.EXE; AUTODOWN.EXE;
      AUTOTRACE.EXE; AUTOUPDATE.EXE; AVPUPD.EXE; AVWUPD32.EXE; AVXQUAR.EXE;
      b055262c.dll; backdoor.rbot.gen.exe; CFIAUDIT.EXE; dailin.exe;
      DRWEBUPW.EXE; F-AGOBOT.EXE; GfxAcc.exe; HIJACKTHIS.EXE; IAOIN.EXE;
      ICSSUPPNT.EXE; ICSUPP95.EXE; Lien Van de Kelderrr.exe; LUALL.EXE;
      MCUPDATE.EXE; msnmsgr.exe; NUPGRADE.EXE; NUPGRADE.EXE; OUTPOST.EXE;
      rasmngr.exe; RAVMOND.exe; RB.EXE; sssss.exe; Systra.exe;
      taskmanagr.exe; UPDATE.EXE; VisualGuard.exe; wfdmgr.exe; WIN32.EXE;
      WIN32US.EXE; WINACTIVE.EXE; WIN-BUGSFIX.EXE; WINDOW.EXE; WINDOWS.EXE;
      WININETD.EXE; WININIT.EXE; WININITX.EXE; WINLOGIN.EXE; WINMAIN.EXE;
      WINPPR32.EXE; WINRECON.EXE; winshost.exe; WINSSK32.EXE; WINSTART.EXE;
      WINSTART001.EXE; WINTSK32.EXE; WINUPDATE.EXE; WKUFIND.EXE; WNAD.EXE;
      WNT.EXE; wowpos32.exe; WRADMIN.EXE; WRCTRL.EXE; wuamga.exe;
      wuamgrd.exe; WUPDATER.EXE; WUPDT.EXE; WYVERNWORKSFIREWALL.EXE;
      XPF202EN.EXE; ZAPRO.EXE; ZAPSETUP3001.EXE; ZATUTOR.EXE;
      ZONALM2601.EXE; ZONEALARM.EXE


List of services that are disabled:
   • NETSKY; navapsvc; NProtectService; Norton Antivirus Server;
      VexiraAntivirus; dvpinit; dvpapi; schscnt; BackWeb Client - 7681197;
      F-Secure Gatekeeper Handler Starter; AVPCC; KAVMonitorService; Norman
      NJeeves; NVCScheduler; nvcoas; Norman ZANDA; PASSRV; SweepNet;
      SWEEPSRV.SYS; NOD32ControlCenter; NOD32Service; PCCPFW; Tmntsrv;
      AvxIni; XCOMM; ravmon8; SmcService; BlackICE; PersFW; McAfee Firewall;
      OutpostFirewall; NWService; NISUM; NISSERV; vsmon

 Miscellaneous Mutex:
It creates the following Mutex:
   • amgkshsqweasdmnd

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Oliver Auerbach on Friday, August 19, 2005
Description updated by Oliver Auerbach on Wednesday, September 7, 2005

Back . . . .