Нужен совет? Обратитесь за помощью к сообществу или специалистам.
Перейти к Avira Answers
Date discovered:19/07/2004
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:78.756 Bytes
MD5 checksum:a3026f698ac9b0c575f7ac39f1082e01
VDF version:

 General Methods of propagation:
   • Email
   • Peer to Peer

   •  Symantec: W32.Mydoom.L@mm
   •  Mcafee: W32/Mydoom.n@MM
   •  Kaspersky: Email-Worm.Win32.Mydoom.m
   •  TrendMicro: WORM_MYDOOM.L
   •  Sophos: W32/MyDoom-N
   •  Grisoft: I-Worm/Mydoom.N
   •  VirusBuster: I-Worm.Mydoom.Q
   •  Eset: Win32/Mydoom.Q
   •  Bitdefender: Win32.Mydoom.L@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Uses its own Email engine
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\lsass.exe

The following file is created:

– A file that contains collected email addresses:
   • %TEMPDIR%\%random character string%.txt

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • "Traybar" = "%WINDIR%\lsass.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)

One of the following:
   • say helo to my litl friend
   • click me baby, one more time
   • hello
   • hi
   • error
   • status
   • test
   • report
   • delivery failed
   • Message could not be delivered
   • Mail System Error - Returned Mail
   • Delivery reports about your e-mail
   • Returned mail: see transcript for details
   • Returned mail: Data format error

Furthermore the subject line could contain random letters.

The body of the email is one of the following:

   • The original message was included as attachment

   • This Message was undeliverable due to the following reason:
     Your message was not delivered because the destination computer was
     not reachable within the allowed queue period. The amount of time
     a message is queued before it is returned depends on local configura-
     tion parameters.
     Most likely there is a network problem that prevented delivery, but
     it is also possible that the computer is turned off, or does not
     have a mail system running right now.
     Your message was not delivered within %several random digits% days:
     Host %random IP address% is not responding.
     The following recipients did not receive this message:
     %receiver's email address%
     Please reply to postmaster@%sender's domain%
     if you feel this message to be in error.

   • The original message was received at Tue, %current date% %current hour%
     from %recipient's domain% [%random IP address%]
     ----- The following addresses had permanent fatal errors -----
     %receiver's email address%
     ----- Transcript of session follows -----
      while talking to %recipient's domain%.:
     >>> MAIL From:%sender's email address%
     <<< 501 %sender's email address%... Refused

   • The original message was received at Tue, %current date% %current hour%
     from %recipient's domain% [%random IP address%]
     ----- The following addresses had permanent fatal errors -----
     %receiver's email address%

The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • readme
   • transcript
   • mail
   • letter
   • file
   • text
   • attachment
   • document
   • message

    The file extension is one of the following:
   • bat
   • cmd
   • com
   • exe
   • pif
   • scr
   • zip

The attachment is a copy of the malware itself.

The attachment is an archive containing a copy of the malware itself.

The email looks like the following:

 Mailing Search addresses:
It searches the following files for email addresses:
   • doc
   • txt
   • htm
   • html

Address generation for FROM field:
To generate addresses it uses the following strings:
   • Postmaster
   • Mail Administrator
   • Automatic Email Delivery Software
   • Post Office
   • The Post Office
   • Bounced mail
   • Returned mail
   • Mail Delivery Subsystem

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • .gov; .mil; abus; accoun; admi; anyone; arin.; avp; bar.; bug;
      contact; crosoft; domain; example; feste; foo.; gmail; gnu.;
      gold-certs; google; gov.; help; hotmail; info; labs; listserv; master;
      math; microsoft; msn.; nobody; noone; not; nothing; ntivi; ophos;
      page; panda; privacycertific; rarsoft; rating; ripe.; root; sample;
      sarc.; seclist; secur; service; sf.net; site; soft; someone;
      sourceforge; spam; spersk; spm; submit; suppor; syma; the.bat; update;
      uslis; winzip; you; your

Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • mx.
   • mail.
   • smtp.

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  

   It searches for directories that contain one of the following substrings:
   • incoming
   • ftproot
   • download
   • shar

   If successful, the following files are created:
   • Kazaa Lite
   • Harry Potter
   • ICQ 4 Lite
   • WinRAR.v.3.2.and.key
   • Winamp 5.0 (en) Crack
   • Winamp 5.0 (en)

   These files are copies of the malware itself.

 Process termination Processes containing one of the following window class names are terminated:
   • IEFrame
   • ATH_Note
   • rctrl_renwnd32

 Backdoor The following port is opened:

%malware execution directory%\%executed file% on TCP port 1042 in order to provide backdoor capabilities.

 File details Programming language:
The malware program was written in MS Visual C++.

Описание добавил Irina Boldea в(о) вторник, 28 февраля 2006 г.
Описание обновил Robert Harja Iliescu в(о) вторник, 5 сентября 2006 г.

Назад . . . .