Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Mydoom.MA
Date discovered:19/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:28.864 Bytes
MD5 checksum:d6b8c39d2dde82f74671465d3303f0d8
IVDF version:7.10.09.121 - Monday, July 19, 2010

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Mydoom.M@mm
   •  Mcafee: W32/Mydoom.o@MM
   •  Kaspersky: Email-Worm.Win32.Mydoom.m
   •  Sophos: W32/MyDoom-O
     Avast: Win32:Mydoom-M
     Microsoft: Worm:Win32/Mydoom.O@mm
   •  Panda: W32/Mydoom.N.worm
     PCTools: Email-Worm.Mydoom
   •  VirusBuster: I-Worm.Mydoom.R
   •  Eset: Win32/Mydoom.R
AhnLab: Win32/MyDoom.worm.M
     Authentium: W32/Mydoom.O@mm
     DrWeb: Win32.HLLM.MyDoom.54464
     Fortinet: W32/Mydoom.M!dam
     Ikarus: Email-Worm.Win32.Mydoom
     Norman: MyDoom.L@mm
     Rising: Worm.Mail.Mydoom.dh


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Drops malicious files
   • Registry modification
   • Uses its own Email engine

 Files It copies itself to the following location:
   • %WINDIR%\java.exe



It deletes the following files:
   • %TEMPDIR%\tmp10.tmp
   • %TEMPDIR%\tmp11.tmp
   • %TEMPDIR%\tmp12.tmp
   • %TEMPDIR%\tmp13.tmp
   • %TEMPDIR%\tmp14.tmp
   • %TEMPDIR%\tmp15.tmp
   • %TEMPDIR%\tmp16.tmp
   • %TEMPDIR%\tmp17.tmp
   • %TEMPDIR%\tmp18.tmp
   • %TEMPDIR%\tmp19.tmp
   • %TEMPDIR%\tmp1A.tmp
   • %TEMPDIR%\tmp1B.tmp
   • %TEMPDIR%\tmp1C.tmp
   • %TEMPDIR%\tmp1D.tmp
   • %TEMPDIR%\tmp1E.tmp
   • %TEMPDIR%\tmp1F.tmp
   • %TEMPDIR%\tmp2.tmp
   • %TEMPDIR%\tmp20.tmp
   • %TEMPDIR%\tmp21.tmp
   • %TEMPDIR%\tmp22.tmp
   • %TEMPDIR%\tmp23.tmp
   • %TEMPDIR%\tmp24.tmp
   • %TEMPDIR%\tmp25.tmp
   • %TEMPDIR%\tmp26.tmp
   • %TEMPDIR%\tmp27.tmp
   • %TEMPDIR%\tmp28.tmp
   • %TEMPDIR%\tmp29.tmp
   • %TEMPDIR%\tmp2A.tmp
   • %TEMPDIR%\tmp2B.tmp
   • %TEMPDIR%\tmp2C.tmp
   • %TEMPDIR%\tmp2D.tmp
   • %TEMPDIR%\tmp2E.tmp
   • %TEMPDIR%\tmp2F.tmp
   • %TEMPDIR%\tmp3.tmp
   • %TEMPDIR%\tmp30.tmp
   • %TEMPDIR%\tmp31.tmp
   • %TEMPDIR%\tmp32.tmp
   • %TEMPDIR%\tmp33.tmp
   • %TEMPDIR%\tmp34.tmp
   • %TEMPDIR%\tmp35.tmp
   • %TEMPDIR%\tmp36.tmp
   • %TEMPDIR%\tmp37.tmp
   • %TEMPDIR%\tmp38.tmp
   • %TEMPDIR%\tmp39.tmp
   • %TEMPDIR%\tmp3A.tmp
   • %TEMPDIR%\tmp3B.tmp
   • %TEMPDIR%\tmp3C.tmp
   • %TEMPDIR%\tmp3D.tmp
   • %TEMPDIR%\tmp3E.tmp
   • %TEMPDIR%\tmp3F.tmp
   • %TEMPDIR%\tmp4.tmp
   • %TEMPDIR%\tmp40.tmp
   • %TEMPDIR%\tmp41.tmp
   • %TEMPDIR%\tmp42.tmp
   • %TEMPDIR%\tmp43.tmp
   • %TEMPDIR%\tmp44.tmp
   • %TEMPDIR%\tmp45.tmp
   • %TEMPDIR%\tmp46.tmp
   • %TEMPDIR%\tmp47.tmp
   • %TEMPDIR%\tmp48.tmp
   • %TEMPDIR%\tmp49.tmp
   • %TEMPDIR%\tmp4A.tmp
   • %TEMPDIR%\tmp4B.tmp
   • %TEMPDIR%\tmp4C.tmp
   • %TEMPDIR%\tmp4D.tmp
   • %TEMPDIR%\tmp4E.tmp
   • %TEMPDIR%\tmp4F.tmp
   • %TEMPDIR%\tmp5.tmp
   • %TEMPDIR%\tmp50.tmp
   • %TEMPDIR%\tmp51.tmp
   • %TEMPDIR%\tmp52.tmp
   • %TEMPDIR%\tmp53.tmp
   • %TEMPDIR%\tmp54.tmp
   • %TEMPDIR%\tmp55.tmp
   • %TEMPDIR%\tmp56.tmp
   • %TEMPDIR%\tmp57.tmp
   • %TEMPDIR%\tmp58.tmp
   • %TEMPDIR%\tmp59.tmp
   • %TEMPDIR%\tmp5A.tmp
   • %TEMPDIR%\tmp5B.tmp
   • %TEMPDIR%\tmp5C.tmp
   • %TEMPDIR%\tmp5D.tmp
   • %TEMPDIR%\tmp5E.tmp
   • %TEMPDIR%\tmp5F.tmp
   • %TEMPDIR%\tmp6.tmp
   • %TEMPDIR%\tmp60.tmp
   • %TEMPDIR%\tmp61.tmp
   • %TEMPDIR%\tmp62.tmp
   • %TEMPDIR%\tmp63.tmp
   • %TEMPDIR%\tmp64.tmp
   • %TEMPDIR%\tmp65.tmp
   • %TEMPDIR%\tmp66.tmp
   • %TEMPDIR%\tmp67.tmp
   • %TEMPDIR%\tmp68.tmp
   • %TEMPDIR%\tmp69.tmp
   • %TEMPDIR%\tmp6A.tmp
   • %TEMPDIR%\tmp6B.tmp
   • %TEMPDIR%\tmp6C.tmp
   • %TEMPDIR%\tmp6D.tmp
   • %TEMPDIR%\tmp6E.tmp
   • %TEMPDIR%\tmp6F.tmp
   • %TEMPDIR%\tmp7.tmp
   • %TEMPDIR%\tmp70.tmp
   • %TEMPDIR%\tmp71.tmp
   • %TEMPDIR%\tmp72.tmp
   • %TEMPDIR%\tmp73.tmp
   • %TEMPDIR%\tmp74.tmp
   • %TEMPDIR%\tmp75.tmp
   • %TEMPDIR%\tmp76.tmp
   • %TEMPDIR%\tmp77.tmp
   • %TEMPDIR%\tmp78.tmp
   • %TEMPDIR%\tmp79.tmp
   • %TEMPDIR%\tmp7A.tmp
   • %TEMPDIR%\tmp7B.tmp
   • %TEMPDIR%\tmp7C.tmp
   • %TEMPDIR%\tmp7D.tmp
   • %TEMPDIR%\tmp7E.tmp
   • %TEMPDIR%\tmp7F.tmp
   • %TEMPDIR%\tmp8.tmp
   • %TEMPDIR%\tmp80.tmp
   • %TEMPDIR%\tmp81.tmp
   • %TEMPDIR%\tmp82.tmp
   • %TEMPDIR%\tmp83.tmp
   • %TEMPDIR%\tmp84.tmp
   • %TEMPDIR%\tmp9.tmp
   • %TEMPDIR%\tmpA.tmp
   • %TEMPDIR%\tmpB.tmp
   • %TEMPDIR%\tmpC.tmp
   • %TEMPDIR%\tmpD.tmp
   • %TEMPDIR%\tmpE.tmp
   • %TEMPDIR%\tmpF.tmp



The following files are created:

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\tmp10.tmp
   • %TEMPDIR%\tmp11.tmp
   • %TEMPDIR%\tmp12.tmp
   • %TEMPDIR%\tmp13.tmp
   • %TEMPDIR%\tmp14.tmp
   • %TEMPDIR%\tmp15.tmp
   • %TEMPDIR%\tmp16.tmp
   • %TEMPDIR%\tmp17.tmp
   • %TEMPDIR%\tmp18.tmp
   • %TEMPDIR%\tmp19.tmp
   • %TEMPDIR%\tmp1A.tmp
   • %TEMPDIR%\tmp1B.tmp
   • %TEMPDIR%\tmp1C.tmp
   • %TEMPDIR%\tmp1D.tmp
   • %TEMPDIR%\tmp1E.tmp
   • %TEMPDIR%\tmp1F.tmp
   • %TEMPDIR%\tmp2.tmp
   • %TEMPDIR%\tmp20.tmp
   • %TEMPDIR%\tmp21.tmp
   • %TEMPDIR%\tmp22.tmp
   • %TEMPDIR%\tmp23.tmp
   • %TEMPDIR%\tmp24.tmp
   • %TEMPDIR%\tmp25.tmp
   • %TEMPDIR%\tmp26.tmp
   • %TEMPDIR%\tmp27.tmp
   • %TEMPDIR%\tmp28.tmp
   • %TEMPDIR%\tmp29.tmp
   • %TEMPDIR%\tmp2A.tmp
   • %TEMPDIR%\tmp2B.tmp
   • %TEMPDIR%\tmp2C.tmp
   • %TEMPDIR%\tmp2D.tmp
   • %TEMPDIR%\tmp2E.tmp
   • %TEMPDIR%\tmp2F.tmp
   • %TEMPDIR%\tmp3.tmp
   • %TEMPDIR%\tmp30.tmp
   • %TEMPDIR%\tmp31.tmp
   • %TEMPDIR%\tmp32.tmp
   • %TEMPDIR%\tmp33.tmp
   • %TEMPDIR%\tmp34.tmp
   • %TEMPDIR%\tmp35.tmp
   • %TEMPDIR%\tmp36.tmp
   • %TEMPDIR%\tmp37.tmp
   • %TEMPDIR%\tmp38.tmp
   • %TEMPDIR%\tmp39.tmp
   • %TEMPDIR%\tmp3A.tmp
   • %TEMPDIR%\tmp3B.tmp
   • %TEMPDIR%\tmp3C.tmp
   • %TEMPDIR%\tmp3D.tmp
   • %TEMPDIR%\tmp3E.tmp
   • %TEMPDIR%\tmp3F.tmp
   • %TEMPDIR%\tmp4.tmp
   • %TEMPDIR%\tmp40.tmp
   • %TEMPDIR%\tmp41.tmp
   • %TEMPDIR%\tmp42.tmp
   • %TEMPDIR%\tmp43.tmp
   • %TEMPDIR%\tmp44.tmp
   • %TEMPDIR%\tmp45.tmp
   • %TEMPDIR%\tmp46.tmp
   • %TEMPDIR%\tmp47.tmp
   • %TEMPDIR%\tmp48.tmp
   • %TEMPDIR%\tmp49.tmp
   • %TEMPDIR%\tmp4A.tmp
   • %TEMPDIR%\tmp4B.tmp
   • %TEMPDIR%\tmp4C.tmp
   • %TEMPDIR%\tmp4D.tmp
   • %TEMPDIR%\tmp4E.tmp
   • %TEMPDIR%\tmp4F.tmp
   • %TEMPDIR%\tmp5.tmp
   • %TEMPDIR%\tmp50.tmp
   • %TEMPDIR%\tmp51.tmp
   • %TEMPDIR%\tmp52.tmp
   • %TEMPDIR%\tmp53.tmp
   • %TEMPDIR%\tmp54.tmp
   • %TEMPDIR%\tmp55.tmp
   • %TEMPDIR%\tmp56.tmp
   • %TEMPDIR%\tmp57.tmp
   • %TEMPDIR%\tmp58.tmp
   • %TEMPDIR%\tmp59.tmp
   • %TEMPDIR%\tmp5A.tmp
   • %TEMPDIR%\tmp5B.tmp
   • %TEMPDIR%\tmp5C.tmp
   • %TEMPDIR%\tmp5D.tmp
   • %TEMPDIR%\tmp5E.tmp
   • %TEMPDIR%\tmp5F.tmp
   • %TEMPDIR%\tmp6.tmp
   • %TEMPDIR%\tmp60.tmp
   • %TEMPDIR%\tmp61.tmp
   • %TEMPDIR%\tmp62.tmp
   • %TEMPDIR%\tmp63.tmp
   • %TEMPDIR%\tmp64.tmp
   • %TEMPDIR%\tmp65.tmp
   • %TEMPDIR%\tmp66.tmp
   • %TEMPDIR%\tmp67.tmp
   • %TEMPDIR%\tmp68.tmp
   • %TEMPDIR%\tmp69.tmp
   • %TEMPDIR%\tmp6A.tmp
   • %TEMPDIR%\tmp6B.tmp
   • %TEMPDIR%\tmp6C.tmp
   • %TEMPDIR%\tmp6D.tmp
   • %TEMPDIR%\tmp6E.tmp
   • %TEMPDIR%\tmp6F.tmp
   • %TEMPDIR%\tmp7.tmp
   • %TEMPDIR%\tmp70.tmp
   • %TEMPDIR%\tmp71.tmp
   • %TEMPDIR%\tmp72.tmp
   • %TEMPDIR%\tmp73.tmp
   • %TEMPDIR%\tmp74.tmp
   • %TEMPDIR%\tmp75.tmp
   • %TEMPDIR%\tmp76.tmp
   • %TEMPDIR%\tmp77.tmp
   • %TEMPDIR%\tmp78.tmp
   • %TEMPDIR%\tmp79.tmp
   • %TEMPDIR%\tmp7A.tmp
   • %TEMPDIR%\tmp7B.tmp
   • %TEMPDIR%\tmp7C.tmp
   • %TEMPDIR%\tmp7D.tmp
   • %TEMPDIR%\tmp7E.tmp
   • %TEMPDIR%\tmp7F.tmp
   • %TEMPDIR%\tmp8.tmp
   • %TEMPDIR%\tmp80.tmp
   • %TEMPDIR%\tmp81.tmp
   • %TEMPDIR%\tmp82.tmp
   • %TEMPDIR%\tmp83.tmp
   • %TEMPDIR%\tmp84.tmp
   • %TEMPDIR%\tmp9.tmp
   • %TEMPDIR%\tmpA.tmp
   • %TEMPDIR%\tmpB.tmp
   • %TEMPDIR%\tmpC.tmp
   • %TEMPDIR%\tmpD.tmp
   • %TEMPDIR%\tmpE.tmp
   • %TEMPDIR%\tmpF.tmp

%TEMPDIR%\zincite.log This is a non malicious text file that contains information about the program itself.
%TEMPDIR%\9qbwjuiS.log This is a non malicious text file that contains information about the program itself.

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "JavaVM"="%WINDIR%\java.exe"



The following registry key is continuously in an infinite loop added in order to run the process after reboot.

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Services"="%WINDIR%\services.exe"



The following registry key is added:

[HKLM\SOFTWARE\Microsoft\Daemon]

 Email It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Gathered addresses from the internet.


Subject:
One of the following:
   • DELIVERY FAILED
   • Delivery reports about your e-mail
   • Error
   • %receiver's email address%
   • Hello
   • HI
   • Mail System Error - Returned Mail
   • Message could not be delivered
   • Returned mail: Data format error
   • Returned mail: see transcript for details
   • status
   • Test

In some cases the subject might also be empty.


Body:
–  In some cases it may contain random characters.


The body of the email is one of the following:
Sometimes it starts with one of the following:

   • The original message was received at Thu, 4 Mar 2010 02:10:20 -0800 from %sender's email address% [184.223.38.167]
     
     ----- The following addresses had permanent fatal errors -----
     %receiver's domain name from email address%
     

   • The message was not delivered due to the following reason:
     
     Your message could not be delivered because the destination server was
     not reachable within the allowed queue period. The amount of time
     a message is queued before it is returned depends on local configura-
     tion parameters.
     
     Most likely there is a network problem that prevented delivery, but
     it is also possible that the computer is turned off, or does not
     have a mail system running right now.
     
     Your message could not be delivered within 1 days:
     Host 215.174.141.118 is not responding.
     
     The following recipients could not receive this message:
     %receiver's email address%
     
     Please reply to postmaster@iana.org
     if you feel this message to be in error.

   • Dear user %sender's email address%,
     
     Your account was used to send a huge amount of unsolicited commercial e-mail messages during this week.
     Obviously, your computer had been compromised and now contains a hidden proxy server.
     
     We recommend that you follow instructions in order to keep your computer safe.
     
     Best regards,
     The %sender's domain name from email address% support team.


Attachment:
The filename of the attachment is one of the following:
   • attachment.zip
   • %receiver's email address%.com
   • %receiver's email address%.zip
   • %receiver's domain name from email address% .zip
   • document.zip
   • epilogue.com
   • file.zip
   • hp.com.zip
   • innocent.com
   • instruction.zip
   • mail.zip
   • message.cmd
   • message.zip
   • psg.com.zip
   • text.zip
   • tislabs.com.zip
   • transcript.bat
   • transcript.zip
   • zupt.zip

The attachment is an archive containing a copy of the malware itself.



The email may look like one of the following:




 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Patrick Schoenherr on Thursday, July 22, 2010
Description updated by Patrick Schoenherr on Thursday, July 22, 2010

Back . . . .