|
|
I-Worm.Mydoom. Viruses Information
| Name: |
I-Worm.Mydoom. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Mydoom.e
This worm has also been called Mydoom.F, and is a modification of Mydoom.a.
It spreads via the Internet as a file attached to infected messages. The worm is a PE EXE file of 33KB or slightly larger, packed using UPX. The unpacked file is approximately 55KB in size. The worm is also able to send itself as a ZIP archive.
The worm is only activated if the user opens the archive and launches the infected file, by clicking twice on the attachment. The worm then installs itself on the systems and starts propagation.
The worm includes a backdoor function, and is programmed to carry out DoS attacks on www.microsoft.com and www.riaa.com
Everything points to this worm not being an original creation, but a separate version which has been created around the orignal source code of Mydoom.a. Part of the original code is present in this version, even though it serves no useful function.
Installation
Once launched, the worm may display a fake error message on the screen: 'File is corrupted,' 'File cannot be opened,' or 'Unable to open specified file'.
The worm may also create a file in the temporary system directory. This file contains a random selection of characters, and the worm may open it using Notepad.
It also creates a mutex 'jmydoat name of infected computer Xmtx' to flag its presence in the system.
When installing, the worm copies itself under a random name to the Windows system directory and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
random characters = "%System%name of worm file
The worm then searchs all accessible disks from C: to Z: and copies itself under random names to all disks which it finds which include the words
shar
startup
start
in the name.
The worm creates a file with a random name and .dll extension in the Windows system directory. This file is 9724 bytes in size, and is the backdoor component, which is intended to open a backdoor on port 1080 and act as a proxy server.
The worm creates several copies of itself as ZIP archives in the Windows root directory. These files are then used to send mass emails. In order to flag its presence in the system, the worm also creates several additional keys in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionShell HKCUSoftwareMicrosoftWindowsCurrentVersionShell
Sending of email
In order to send copies of itself, the worm searches all accessible disks from C: to Z: for files with the following extensions:
wab
mbx
nch
mmf
ods
rtf
uin
oft
mht
vbs
msg
pl
eml
adb
tbb
dbx
asp
php
sht
htm
txt
It then sends itself to all email addresses found in these files.
Infected emails have the following characteristics:
Sender's address: any address found on the infected machine, or chosen from the following list
jerry
bill
smith
jim
sam
james
alex
A random selection of characters may also be used. In this case, after the @ symbol in the sender's address, one of the following domains will be used:
aol.com
msn.com
yahoo.com
hotmail.com
edu
Message header: (chosen at random)
hello
hi
Announcement
read now!
forget
bug
unknown
fake
Wanted
recent news
news
stolen
Attention
Accident
Schedule
Re: Thank you
Thank you
Re: Details
Details
Re: Approved
Approved
hi, it's me
Important
Readme
Read this message
please read
please reply
Thank You very very much
You use illegal File Sharingall
Your IP was logged
Your account is about to be expired
Love is
Love is...
Undeliverable message
Re:
Your order was registered
Your request was registered
Your order is being processed
Your request is being processed
Current Status
Your credit card
Read it immediately!
Read this
Read it immediately
Something for you
For you
For your information
Information
Warning
You have 1 day left
automatic notification
automatic responder
Notification
Expired account
Your account has expired
Registration confirmation
Confirmation
Confirmation Required
Returned Mail
Message body: (chosen at random)
Greetings
See you
Here it is
You are bad
Take it
Reply
Please, reply
Okay
OK
Everything ok?
Check the attached document.
The document was sent in compressed format.
Please see the attached file for details
See the attached file for details
Details are in the attached document. You need Microsoft Office to open it. Information about you
We have received this document from your e-mail.
Kill the writer of this document!
Something about you
I have your password :)
You are a bad writer
Is that yours?
Is that from you?
I wait for your reply.
Here is the document.
Read the details.
I'm waiting
Attachment name: (chosen at random)
body
message
test
data
file
text
readme
document
doc
msg
photo
resume
image
object
website
friend
jokes
joke
approved
paypal
disc
misc
part3
part2
part4
part1
mail2
list
mail
story
about
money
check
product
notes
your_document
note
information
textfile
posting
post
stuff
attachment
creditcard
details
or a selection of random characters.
The attached file has one of the following extensions:
exe
scr
com
pif
bat
cmd
zip
and a second extension from the following list:
doc
htm
rtf
xls
jpg
gif
png
txt
exe
pif
scr
DoS attacks
If the system date is showing between the 17th and the 22nd of the month, there is a 60% that the worm will carry out a DoS attack on www.microsoft.com and a 30% chance that it will carry out a DoS attack on www.riaa.com. Mydoom.e will perform DoS attacks in exactly the same way as the other versions of Mydoom did, by sending multiple GET requests to port 80 of the site under attack.
Deletion of files
The worm searches all accessible disks from C: to Z: for files with the extensions .mdb, .doc, .xls, .sav, .jpg, .avi and .bmp and uses a random number generator to determine which files with these extensions should be deleted.
Other
The worm searches memory for processes containing the following text:
reged
taskmo
taskmg avp.
avp32
norton
navapw
navw3
intrena
mcafe
and attempts to stop them. |
Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Macro.Word.Greenpeac
ID.16
Wawah.78
Asahi Famil
Carioca.95
Macro.Word.Meldun
Macro.Word.Hade
Squad.129
MutaGen-based viruse
Lenin.94
|
|
