Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Mydoom.AH@mm, I-Worm.Mydoom.ah
Type:Worm 
Size:21.5 Kb 
Origin: 
Date:11-09-2004 
Damage: 
VDF Version:6.28.00.63 
Danger:Low 
Distribution:High 

General DescriptionAffected platforms: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003
Damage routine:
-Takes advantage of Remote Buffer Overflow Vulnerability
-Email sending with its own SMTP engine

DistributionWorm/MyDoom.AH searches within files with specific extensions (i.e. HTM, HTML, TXT, etc) for Emailadresses. It tries to send itself to these addresses using its own SMTP engine.

The sent email has the following structure:

From: %spoofed%

Subject: (one of the following)

Hi!
hey!
Confirmation

Header: (one of the following)

X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-AntiVirus: Checked by Dr.Web (www.drweb.net/)
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

Body: (one of the following)

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.
To see details please click this link
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal.



The worm's email contains a link, which takes advantage of Microsoft Internet Explorer's "Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515)". If the email client opens this email, without having the corresponding Patch installed, the worm automatically tries to download and run the virulent EXE files.

Worm/MyDoom.AH is also able to connect to the following IRC servers using the TCP Port 6667:

broadway.ny.us.dal.net
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
ced.dal.net
coins.dal.net
diemen.nl.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
london.uk.eu.undernet.org
los-angeles.ca.us.undernet.org
lulea.se.eu.undernet.org
ozbytes.dal.net
qis.md.us.dal.net
vancouver.dal.net
viking.dal.net
washington.dc.us.undernet.org

Technical DetailsInfection:
Worm/MyDoom.AH takes advantage of the Microsoft's Internet Explorer security issue: "Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515)".

If the Worm/MyDoom.AH is executed, it copies itself into the windows system directory with a variable filename:
-%systemDIR%/%random_name%32.exe

and crestes the following entries in the windows registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\
"Reactor<%random_num%>" = \%SystemDIR%\<%random_name%>32.exe"

- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Reactor<%random_num%>" = \%SystemDIR%\<%random_name%>32.exe"

- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\

- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version\

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\ComExplore\

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\ComExplore\Version\

Worm/MyDoom.AH deletes the following entries from the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"center"=
"reactor"=
"Reactor3"=
"Reactor4"=
"Rhino"=

The worm uses its integrated Backdoor Routine to open the TCP Port 1639 in order to wait for incoming commands.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .