Date discovered:28/04/2011
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:28.864 Bytes
MD5 checksum:81c59761451fc137ff0c253a5141610d
VDF version:
IVDF version:

 General Method of propagation:
   • Email

   •  Symantec: W32.Mydoom.M@mm
   •  Mcafee: W32/Mydoom.o@MM
   •  Kaspersky: Email-Worm.Win32.Mydoom.m
   •  Sophos: W32/MyDoom-O
   •  Microsoft: Worm:Win32/Mydoom.O@mm

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\java.exe

The following files are created:

%WINDIR%\services.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%TEMPDIR%\allja3.log This file contains collected information about the system.
%TEMPDIR%\zincite.log This file contains collected information about the system.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "JavaVM"="%WINDIR%\java.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Services"="%WINDIR%\services.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

– Gathered addesses by contacting search engines

 Backdoor The following port is opened:

– services.exe on TCP port 1034 in order to provide backdoor capabilities.

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

説明の挿入者 Andrei Ilie の 2011年5月26日木曜日
説明の更新者 Andrei Ilie の 2011年5月30日月曜日

戻る . . . .