Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Mydoom.M.unp
Date discovered:26/07/2004
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:41.408 Bytes
MD5 checksum:6e821a45f567011c1aa88822efc14193
VDF version:6.26.00.44

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Mydoom.AZ@mm
   •  Mcafee: W32/Mydoom.o@MM
   •  Kaspersky: Email-Worm.Win32.Mydoom.am
   •  TrendMicro: WORM_MYDOOM.M
   •  Sophos: W32/MyDoom-BC
   •  Grisoft: I-Worm/Mydoom
   •  VirusBuster: I-Worm.Mydoom.AJ1
   •  Eset: Win32/Mydoom.AX
   •  Bitdefender: Win32.Mydoom.AQ@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability

 Files It copies itself to the following location:
   • %WINDIR%\java.exe



The following file is created:

%WINDIR%\services.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Tr/Mydoom.BB.1




It tries to download a file:

The location is the following:
   • www.imogenheap.co.uk/iblog/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "JavaVM"="%WINDIR%\java.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
 Email addresses gathered from WAB (Windows Address Book)
 Gathered addesses by contacting search engines


Subject:
One of the following:
   • hello
   • error
   • status
   • test
   • report
   • delivery failed
   • Message could not be delivered
   • Mail System Error - Returned Mail
   • Delivery reports about your e-mail
   • Returned mail: see transcript for details
   • Returned mail: Data format error

Furthermore the subject line could contain random letters.


Body:
 It is constructed using a regular expression.
–  In some cases it may be empty.
–  In some cases it may contain random characters.


The body of the email is one of the following:

   • Dear user {%receiver's email address% |of %recipient's domain% },{ {{M|m}ail {system|server} administrator|administration} of %recipient's domain% would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
     
     {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
     {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
     {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
     
     {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
     
     {%recipient's domain% {user |technical |}support team.|The %recipient's domain% {support |}team.}

   • {The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
     
     Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
     Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.
     
     Your message {was not|could not be} delivered within %number% days:
     {{{Mail s|S}erver}|Host} %random IP address% is not responding.
     
     The following recipients {did|could} not receive this message
     %sender's email address%
     
     Please reply to postmaster@{%sender's domain% |%recipient's domain%} if you feel this message to be in error

   • The original message was received at %current date%{| }from {%sender's domain% [%random IP address%]}
     
     ----- The following addresses had permanent fatal errors -----
     
     {<%recipient's domain%>|%recipient's domain%}
     
     {----- Transcript of {the ||}session follows -----
     
     ... while talking to {host |{mail |}server ||||}{%recipient's domain%.|%random IP address%}:
     
     {>>> MAIL F{rom|ROM}:%sender's domain%
     
     <<< 50%number% {%sender's domain% ... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <%recipient's domain%>... {Mail quota exceeded|Message is too large}
     
     554 <%recipient's domain%>... Service unavailable|550 5.1.2 <%recipient's domain%>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; [%random IP address%] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|}
     
     Session aborted{, reason: lost connection|}|>>> RCPT To:<%recipient's domain%>
     
     <<< 550 {MAILBOX NOT FOUND|5.1.1 <%recipient's domain%>... {User unknown|Invalid recipient|Not known here}}|>>> DATA
     
     {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded|}<<< 400}|}

   • The original message was included as attachment
     

   • {{The|Your} m|M}essage could not be delivered


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • readme
   • instruction
   • transcript
   • mail
   • letter
   • file
   • text
   • attachment
   • document
   • message
   • %random character string%

    The file extension is one of the following:
   • cmd
   • bat
   • com
   • exe
   • pif
   • scr
   • zip

The attachment is a copy of the malware itself.

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


 Mailing Search addresses:
It searches the following files for email addresses:
   • doc
   • txt
   • htm
   • html


Address generation for FROM field:
To generate addresses it uses the following strings:
   • Postmaster
   • Mail Administrator
   • Automatic Email Delivery Software
   • Post Office
   • The Post Office
   • Bounced mail
   • Returned mail
   • MAILER-DAEMON
   • Mail Delivery Subsystem



Search Engine:
In order to gather more email addresses it contacts the following search engines:
   • http://search.lycos.com/
   • http://www.altavista.com/
   • http://search.yahoo.com/
   • http://www.google.com/



Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • mailer-d; spam; abuse; master; sample; accoun; privacycertific; bugs;
      listserv; submit; ntivi; support; admin; page; the.bat; gold-certs;
      feste; not; help; foo; soft; site; rating; you; your; someone; anyone;
      nothing; nobody; noone; info; winrar; winzip; rarsoft; sf.net;
      sourceforge; ripe.; arin.; google; gnu.; gmail; seclist; secur; bar.;
      foo.com; trend; update; uslis; domain; example; sophos; yahoo; spersk;
      panda; hotmail; msn.; msdn.; microsoft; sarc.; syma; avp


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • mx.
   • mail.
   • smtp.

 Miscellaneous Mutex:
It creates the following Mutex:
   • %computername%root%computername%rootx%computername%root%computername%rootxx

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Irina Boldea on Thursday, May 18, 2006
Description updated by Irina Boldea on Monday, May 22, 2006

Back . . . .