Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Mydoom.AX@mm, Win32.Mydoom.AU
Type:Worm 
Size:25.771 bytes 
Origin: 
Date:02-17-2005 
Damage: 
VDF Version:6.29.00.132 
Danger:Low 
Distribution:Medium 

General DescriptionAffected platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

SymptomsDamage routine:

-email sending
-backdoor routine

DistributionWorm/MyDoom.BB has implemented its SMTP engine. The email, which the worm sends, is made up of different parts.

-Sender (FROM): %spoofed%

-SUBJECT:

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error delivered

-Emailtext (BODY):

The emailtext varies and always has a different content.

-ATTACHMENT:

The filename of the attachment is made up of the names and extensions, which are randomly chosen by the worm:

ATTACHMENT
DOCUMENT
FILE
INSTRUCTION
LETTER
MAIL
MESSAGE
README
TEXT
TRANSCRIPT

with one of the following extensions:

.bat
.cmd
.com
.exe
.pif
.scr
.zip

Technical DetailsThis new version of Worm/MyDooms has also a mass-mailing function, which it uses as its SMTP Engine. It also tries to spread to other computers using the shared directories. If Worm/MyDoom.BB is executed, it writes these two files in the Windows directories:

-\%WinDIR%\java.exe
-\%WinDIR%\services.exe (backdoor component)

and creates the following entries in the Windows Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\Run]
"JavaVM"="\%WinDIR%\java.exe "
"Services"="\%WinDIR%\services.exe"

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run]
"JavaVM"="\%WinDIR%\java.exe "
"Services"="\%WinDIR%\services.exe"

[HKEY_CURRENT_USER\Software\Microsoft\ Daemon]
%new entry%

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Daemon]
%new entry%

The worm searches for files with the following extensions on the infected system, containing email addresses ,in order to send itself to those email addresses:

.pl*
.ph*
.tx*
.ht*
.asp
.sht
.adb
.dbx
.wab

In order to gather emails, it also places a GET request to the following search engines:

search.yahoo.com
search.lycos.com
www.altavista.com
www.google.com

If one of the following strings is contained in the email adresses, the Worm/MyDoom won't send itself to those:

abuse
accoun
admin
anyone
arin.
avp
avp
bar.
bugs
ca
certific
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacy
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your

Worm/MyDoom downloads a file from the website www.aoprojecteden.org and tries to execute it. This file is already detected as BDS/Nemog.D by AVIRA.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .