SecurityHome.eu Win32.Mydoom.V@mm

Home / malware PDF

Win32.Mydoom.V@mm

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Win32.Mydoom.V@mm is also known as N/A.
Explanation :
This is a mass-mailer that also drops a backdoor. The file is downloaded from one the following urls:
"http://www.llc.unibo.it"
"http://www.surrenderzeeland.nl"
"http://www.mercyships.de"
"http://www.hiw.kuleuven.ac.be"
"http://www.ach.ch"
"http://vugs.geog.uu.nl"
"http://www.planetboredom.net"

and is downloaded to a temporary file ( with a temporary name ). This file's size is 234496 bytes.

It seems that there are more versions of this worm, which are just recompilations of the same source.

The worm creates a mutex called 'qwedefacedRDE'. It uses threads for searching for e-mail addreses
in the following file types: wab,xls,vbs,uin,txt,tbb,stm,sht,php,msg,mht,jsp,htm,eml,dht,dbx,cgi,cfg,asp.

It sends mail using it's own SMTP engine. The mails it uses to spread have the following characteristics:

From: spoofed address ( usually from
"cox.net"
"yahoo.com"
"msn.com"
"yahoo.co.uk"
"t-online.de"
"gmx.net"
"hotmail.com"
"aol.com"
"mail.com"
"dailymail.co.uk")

Subject:
"hello"
"here"
"hi"
"Hi!"
"important"
"Information"
"my"
"News"
"Notice again"
"Private document"
"Re: Hello"
"Re: Hi"
"Re: Message"
"Re: Proof of concept"
"Re: Question"
"Re: Status"
"Re: Your document"
"read it immediately"
"Thank you!"
"thanks!"
"You win!"
Body:
"Can you confirm it?"
"For further details see the attachment."...
"For more details see the attachment."
"Monthly news report."
"Please answer quickly!"
"Please confirm!"
"Please read the attached file!"
"Please read the document."
"Please see the attached file for detail"...
"Thanks!"
"Waiting for a Response. Please read the"...
"Your archive is attached."
"Your requested mail has been attached."
"I have attached document."
"Please confirm the document."
"Please read the attached file."
"Please read the important document."
"See attached file for details."
"See the file."
"lol!"
The body may also contain a string stating that the mail was found clean ("Attachment: No Virus found")
folowed by one of :
"Norton AntiVirus - www.symantec.de"
"F-Secure AntiVirus - www.f-secure.com"
"Norman AntiVirus - www.norman.com"
"Panda AntiVirus - www.pandasoftware.com"
"Kaspersky AntiVirus - www.kaspersky.com"
"MC-Afee AntiVirus - www.mcafee.com"
"Bitdefender AntiVirus - www.bitdefender.com"
"MessageLabs AntiVirus - www.messagelabs.com"

Attachment:
"document.doc .pif"
"doc.doc .pif"
"mesg.doc .pif"
"report.doc .pif"
"review.doc .pif"
"bill.doc .pif"
"doc.rtf .pif"
"mesg.rtf .pif"
"report.rtf .pif"
"review.rtf .pif"
"bill.rtf .pif"
"doc.txt .pif"
"mesg.txt .pif"
"report.txt .pif"
"review.txt .pif"
"bill.txt .pif"
"rep.txt .pif"
"Message.html .pif"
"document.zip"
"doc.zip"
"report.zip"
"new.zip"
"doc.zip"
"bill.zip"
"data.zip"
"details.zip"
"file.zip"
"info.zip"
"information.zip"
"letter.zip"
"message,.zip"
"file.exe"
"game.exe"
"photo.exe"
"pic.exe"
"new.exe"
"patch.exe"
"antivirus.exe"
"fun.scr"
"lol.scr"
Last update 21 November 2011

TOP

Malware :

Last 20