Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Win32.Mydoom.1.Gen@mm (Bit Defender), Net-Worm.Win32.Mytob.c (Kaspersky)
Type:Worm 
Size:48.766 bytes (UPX packed) 
Origin: 
Date:03-02-2005 
Damage: 
VDF Version:6.30.0.14 
Danger:Low 
Distribution:Medium 

General DescriptionAffected platforms:
* Windows 2000
* Windows XP
* Windows 2003

DistributionThe virus takes advantage of the Windows LSASS vulnerability.

It gathers emails from the infected system's files and sends itself to them using its own SMTP engine.

The email sent by the worm has the following appearance:
-SUBJECTS: The "subjects" used by the virus to compose emails are stored in encrypted format.
They can be one of the following:
<%empty%>
<%random%>
Error
Status
STATUS
Server Report
SERVER REPORT
Mail Transaction Failed
Mail Delivery System
hello
HELLO
hi
HI
test
TEST

BODY: can be one of the following:
- <%empty%>
- <%random trash%>
- Mail transaction failed. Partial message is available.
- The message contains Unicode characters and has been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- test

-ATTACHMENT:
The email attachment is made up of one of the files above:
<%random%>
doc
document
message
readme
text
hello
body
test
data
file

followed by one of these extensions:
cmd
bat
zip
pif
scr
exe
htm

The attachment can also have two of these extensions.

If the DNS request for authorised mailserver fails, the worm tries to guess the email server adding in front of the domain name the following prefixes:

gate.
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.

It looks for email addresses into files having the following extensions:
wab
pl
adb
tbb
dbx
asp
php
sht
htm

The worm also generates the sender's email addresses ("From:" section) using the following list of names, at which it adds domain names:

sandra
linda
julie
jimmy
jerry
helen
debby
claudia
brenda
anna
alice
brent
adam
ted
fred
jack
bill
stan
smith
steve
matt
dave
dan
joe
jane
bob
robert
peter
tom
ray
mary
serg
brian
jim
maria
leo
jose
andrew
sam
george
david
kevin
mike
james
michael
alex
john

It avoids sending itself to email addresses containing the following strings:

accoun
certific
listserv
ntivi
support
icrosoft
admin
page
the.bat
gold-certs
ca
feste
submit
not
help
service
privacy
somebody
no
soft
contact
site
rating
bugs
me
you
your
someone
anyone
nothing
nobody
noone
webmaster
postmaster
samples
info
root
be_loyal:
mozilla
utgers.ed
tanford.e
pgp
acketst
secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
linux
kernel
google
ibm.com fsf.
gnu mit.e
bsd
math
unix
berkeley
foo.
.mil
gov.
.gov
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
hotmail
msn.
icrosof
syma
avp .edu
-._!
-._!@
abuse
www
fcnz
spm

Technical DetailsIf the worm is executed it creates the following entries in the Windows Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LSA"="wfdmgr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LSA"="wfdmgr.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"LSA"="wfdmgr.exe"

[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"LSA"="wfdmgr.exe"

[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
"LSA"="wfdmgr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"LSA"="wfdmgr.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LSA"="wfdmgr.exe"

It also creates the following files:
<%sysdir%>\wfdmgr.exe (copy of itself)
<%homedir%>\socks.exe (45.056 bytes)

The worm creates a mutex named "D66".

It tries to connect to the IRC server 205.209.164.201 (bleh.darkacidonline.us) on the port 8080.
It also tries to join the channels #.ilovediablo.# diablo, using a random 15 characters long nickname.

The worm tries to download the file "socks.exe".
But it fails, getting a "404 not found" error message.
The created file in the virus home directory contains this message.

It performs a port scanning randomly within the same /16 network (the 16 bits of the host address part of the IP) as the infected host. For this, it is listening on 445/tcp port (microsoft-ds).

It runs a FTP server on a random port.
When a client connects, the server displays the following header:
Connected to <%computer name%>
220 StnyFtpd 0wns j0
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .