Worm/Mydoom.AS.1 - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/Mydoom.AS.1
Date discovered:	27/04/2005
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Medium to high
Damage Potential:	Low
Static file:	Yes
File size:	86.637 Bytes
MD5 checksum:	06ad8f6017e0d638481d877af8881e4f
VDF version:	6.30.00.141 - Wed, 27 Apr 2005 21:03 (GMT+1)
IVDF version:	6.30.00.141 - Wed, 27 Apr 2005 21:03 (GMT+1)

General Methods of propagation:
   • Email
   • Peer to Peer

Aliases:
   • Mcafee: W32/Mydoom.bn@MM
   • Kaspersky: Email-Worm.Win32.Mydoom.as
   • TrendMicro: WORM_MYDOOM.AQ
   • F-Secure: Email-Worm.Win32.Mydoom.as
   • Sophos: W32/MyDoom-BN
   • Panda: W32/Mydoom.BJ.worm
   • Grisoft: I-Worm/Mydoom
   • VirusBuster: I-Worm.Mydoom.BJ
   • Eset: Win32/Mydoom.BC
   • Bitdefender: Win32.Worm.Mydoom.BJ

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Uses its own Email engine
   • Registry modification

Right after execution it runs a windows application which will display the following window:

Files It copies itself to the following location:
• %SYSDIR%\taskmon.exe

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• TaskMon="%SYSDIR%\taskmon.exe"

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• TaskMon="%SYSDIR%\taskmon.exe"

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses

Subject:
One of the following:
   • Oi a quanto tempo... =)
   • Eu nao ti vejo a muito tempo.
   • Duvido voce me reconher =)
   • Voce me reconhece??
   • Saudades de voce!!!
   • lembra de mim??
   • estou longe!!
   • Eu te amo

Body:
The body of the email is the following:
   • Ola, a quanto tempo! Eu me mudei dai para os Estados Unidos, e faz um tempo que perdemos o contato e consegui seu email atraves de uma amiga sua. Vamos fazer assim, eu vou lhe mandar meu album de fotos se voce me reconhecer, me retorna o email. Quero ver se voce ainda lembra de mim. :)

Attachment:
The filename of the attachment is one of the following:
   • album
   • fotografia
   • fotos
   • album_de_foto
   • minhas_fotos

    The file extension is one of the following:
   • bat
   • cmd
   • exe
   • scr
   • pif
   • zip

The attachment is a copy of the malware itself.

The email looks like the following:

Mailing Search addresses:
It searches the following files for email addresses:
   • wab
   • adb
   • tbb
   • dbx
   • php
   • sht
   • htm
   • tmp

Address generation for TO and FROM fields:
To generate addresses it uses the following strings:
   • joao; alex; michel; michele; james; marcos; felipe; davi; george;
      samuel; andre; andreia; jose; leonardo; maria; georgia; bernardo;
      sergio; joana; luis; raimundo; tom; patricia; roberto; roberta;
      tercio; fernando; daniela; diego; steve; fernanda; luisa; adriana;
      bruno; david; samanta; fred; rafael; luiza; afonso; breno; alice; ana;
      brenda; claudia; marcela; debora; helen; helena; simone; lucas;
      juliana; adriano; sandra; sandro; barbara; bruna; rafaela

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • -._!@; -._!; avp; syma; icrosof; msn.; panda; sopho; borlan; inpris;
      example; mydomai; nodomai; ruslis; berkeley; unix; math; bsd; mit.e;
      gnu; fsf.; ibm.com; google; kernel; linux; fido; usenet; iana; ietf;
      rfc-ed; sendmail; arin.; ripe.; isi.e; isc.o; secur; acketst; pgp;
      tanford.e; utgers.ed; mozilla; be_loyal:; root; info; samples;
      postmaster; webmaster; noone; nobody; nothing; anyone; someone; your;
      you; me; bugs; rating; site; contact; soft; no; somebody; privacy;
      service; help; not; submit; feste; ca; gold-certs; the.bat; page;
      abuse; admin; lista; icrosoft; support; ntivi; listserv; certific;
      accoun; spm; fcnz; www

Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • gate.
   • ns.
   • relay.
   • mail1.
   • mxs.
   • mx1.
   • smtp.
   • mail.
   • mx.

P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It retrieves the shared folder by querying the following registry key:
   • Software\Kazaa\Transfer

   If successful, the following files are created:
   • activation_crack.exe; icq2004-final.exe; nuke2004.exe;
      office_crack.exe; rootkitXP.exe; strip-girl-2.0bdcom_patches.exe;
      winamp5.exe; activation_crack.bat; icq2004-final.bat; nuke2004.bat;
      office_crack.bat; rootkitXP.bat; strip-girl-2.0bdcom_patches.bat;
      winamp5.bat; activation_crack.pif; icq2004-final.pif; nuke2004.pif;
      office_crack.pif; rootkitXP.pif; strip-girl-2.0bdcom_patches.pif;
      winamp5.pif; activation_crack.scr; icq2004-final.scr; nuke2004.scr;
      office_crack.scr; rootkitXP.scr; strip-girl-2.0bdcom_patches.scr;
      winamp5.scr; ;

   These files are copies of the malware itself.

Miscellaneous Mutex:
It creates the following Mutex:
• SwebSipcSmtxS0

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Ana Maria Niculescu on Thu, 04 Oct 2007 16:10 (GMT+1)
Description updated by Ana Maria Niculescu on Tue, 09 Oct 2007 08:28 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back