Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Mydoom.BH.1
Date discovered:31/08/2007
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:131.072 Bytes
MD5 checksum:1aec7aebd916c3862131af0F7fe46da2
VDF version:6.39.01.017
IVDF version:6.39.01.018

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Mydoom.gen@MM
   •  Kaspersky: Email-Worm.Win32.Mydoom.bh
   •  F-Secure: Email-Worm.Win32.Mydoom.bh
   •  Sophos: W32/MyDoom-BX
   •  Panda: W32/Mydoom.DL.worm
   •  Grisoft: I-Worm/Generic.BXO
   •  Eset: Win32/Mydoom.NA
   •  Bitdefender: Generic.Mydoom.4C96A5D8


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\dvupdate.exe



It deletes the initially executed copy of itself.



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\tmp%hex number%.tmp

%TEMPDIR%\%random character string%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry One of the following values is added in order to run the process after reboot:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • Driver Update="%SYSDIR%\dvupdate.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
 Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • A friendly warning
   • Greetings. Please read on.
   • Hello there! Read on.
   • Hey, just warning you
   • HEY, THIS IS KINDA URGENT
   • Some important information
   • You might want to read this...
   • You need to protect yourself

In some cases the subject might also be empty.
Furthermore the subject line could contain random letters.


Body:
 It is constructed using a regular expression.
–  In some cases it may be empty.
–  In some cases it may contain random characters.


The body of the email is one of the following:

   • I don't know if you have heard yet or not but there's a deadly computer virus going around lately...
     I got caught by it the other day and lost all my files.
     Luckily Microsoft just released a fix which will protect you from it.
     I've attached the fix to this email, so you'll be fine if you install it
     Please open the attached file. It contains very important information concerning you.

   • Please open the attached file. It contains very important information concerning you.

   • I found a file that has a lot of information about YOU in it, I thought you might want to know about it.
     It's attached to this email, so open it if you're interested.

   • Hey, I assume you've heard about that new computer virus?
     A friend of mine got hit by it the other day and lost EVERY file on his compuiter.
     I attached a fix for it to this email, so you should be fine if you install it.
     Good luck!


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • ReadMe_TXT
   • ReadThisNow_TXT
   • UrgentInfo
   • MSWinFix
   • MSHotFix_Latest
   • Latest_Patch
   • Info_Doc
   • ImportantInfo
   • %random character string%

    The file extension is one of the following:
   • .exe
   • .zip

The attachment is a copy of the malware itself.

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


 Mailing Search addresses:
It searches the following files for email addresses:
   • wab
   • adb
   • tbb
   • dbx
   • php
   • sht
   • htm
   • tmp


Address generation for TO field:
To generate addresses it uses the following strings:
   • sandra; linda; julie; jimmy; jerry; helen; debby; claudia; brenda;
      anna; alice; brent; adam; ted; fred; jack; bill; stan; smith; steve;
      matt; dave; dan; joe; jane; bob; robert; peter; tom; ray; mary; serg;
      brian; jim; maria; leo; jose; andrew; sam; george; david; kevin; mike;
      james; michael; alex; john; accoun; certific; listserv; ntivi;
      support; icrosoft; admin; page; the.bat; gold-certs; ca; feste;
      submit; not; help; service; privacy; somebody; no; soft; contact;
      site; rating; bugs; me; you; your; someone; anyone; nothing; nobody;
      noone; webmaster; postmaster; samples; info; root

It uses the same domain list as mentioned above.

The domain is one of the following:
   • hotmail.com
   • yahoo.com
   • msn.com
   • aol.com


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • mozilla; utgers.ed; tanford.e; pgp; acketst; secur; isc.o; isi.e;
      ripe.; arin.; sendmail; rfc-ed; ietf; iana; usenet; fido; linux;
      kernel; google; ibm.com; fsf.; gnu; mit.e; bsd; math; unix; berkeley;
      foo.; .mil; gov.; .gov; ruslis; nodomai; mydomai; example; inpris;
      borlan; sopho; panda; hotmail; msn.; icrosof; syma; avp; -._!@; -._!;
      spm; fcnz; www; abuse; .edu


MX Server:
It does not use the standard MX server.
It has the ability to contact one of the following MX servers:
   • gate.
   • ns.
   • relay.
   • mail1.
   • mxs.
   • mx1.
   • smtp.
   • mail.
   • mx.

 Hosts The host file is modified as explained:

In this case existing entries are deleted.

Access to the following domains is effectively blocked:
   • www.symantec.com; securityresponse.symantec.com; symantec.com;
      www.sophos.com; sophos.com; www.mcafee.com; mcafee.com;
      liveupdate.symantecliveupdate.com; www.viruslist.com; viruslist.com;
      viruslist.com; f-secure.com; www.f-secure.com; kaspersky.com;
      kaspersky-labs.com; www.kaspersky.com; www.networkassociates.com;
      networkassociates.com; www.ca.com; ca.com; mast.mcafee.com;
      my-etrust.com; www.my-etrust.com; download.mcafee.com;
      dispatch.mcafee.com; secure.nai.com; nai.com; www.nai.com;
      update.symantec.com; updates.symantec.com; us.mcafee.com;
      liveupdate.symantec.com; customer.symantec.com; rads.mcafee.com;
      trendmicro.com; pandasoftware.com; www.pandasoftware.com;
      www.trendmicro.com; www.grisoft.com; www.microsoft.com; microsoft.com;
      update.microsoft.com; www.virustotal.com; virustotal.com;
      www.ahnlab.com; suc.ahnlab.com; auth.ahnlab.com; ahnlab.com




The modified host file will look like this:


 Backdoor Contact server:
The following:
   • io.phatnet.**********:7001

As a result remote control capability is provided.

Sends information about:
     Malware uptime


Remote control capabilities:
     Download file
     Execute file
     Kill process
     Move file

 Miscellaneous Mutex:
It creates the following Mutex:
   • doom1

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Wednesday, October 3, 2007
Description updated by Monica Ghitun on Thursday, October 4, 2007

Back . . . .