Virus:WORM/Mydoom.O.1
Date discovered:28/04/2011
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:28.864 Bytes
MD5 checksum:81c59761451fc137ff0c253a5141610d
VDF version:7.11.07.62 - Thursday, April 28, 2011
IVDF version:7.11.07.62 - Thursday, April 28, 2011

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Mydoom.M@mm
   •  Mcafee: W32/Mydoom.o@MM
   •  Kaspersky: Email-Worm.Win32.Mydoom.m
   •  Sophos: W32/MyDoom-O
   •  Microsoft: Worm:Win32/Mydoom.O@mm


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\java.exe



The following files are created:

%WINDIR%\services.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%TEMPDIR%\allja3.log This file contains collected information about the system.
%TEMPDIR%\zincite.log This file contains collected information about the system.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "JavaVM"="%WINDIR%\java.exe"
   •

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Services"="%WINDIR%\services.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


To:
– Gathered addesses by contacting search engines

 Backdoor The following port is opened:

– services.exe on TCP port 1034 in order to provide backdoor capabilities.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Ilie on donderdag 26 mei 2011
Description updated by Andrei Ilie on maandag 30 mei 2011

Terug . . . .

© 2013 Avira Operations GmbH & Co. KG. Alle rechten voorbehouden.

Mijn Account

https:// Dit venster is voor uw veiligheid gecodeerd.