SecurityHome.eu Win32.MyDoom.S@mm

Home / malware PDF

Win32.MyDoom.S@mm

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Win32.MyDoom.S@mm is also known as I-Worm.Mydoom.q, (KAV.
Explanation :
spreads via email, attatched with the name "photos_arc.exe"; the subject of the email is "Photos"; the body is "LOL!;))))" while the sender is spoofed

it avoids sending itself to certain email addresses containing several sub-strings

downloads as "winvpn32.exe" and executes it from the following addresses:
http://www.xxxxxxxxxx.com/ispy.1.jpg
http://www.xxxxxxxxxx.com/coco3.jpg
http://www.xxxxxxxxxx.com/guestbook/temp/temp587.gif
http://xxxxxxxxxxx.com/guestbook/temp/temp728.gif

the downloaded file is Backdoor.Surila, a component with stealth capabilities which makes it invisible in processes list and on hard drive

when download of the backdoor component was successful the folowing registry key is added as a marker "HKCUSOFTWAREMicrosoftInternet ExplorerInstaledFlashhMX" set to "1"

checks the mutex "43jfds93872" in order to avoid reinfection

copies itself to "%system%winpsd.exe" and "%windows%
asor38a.dll"

adds to the start up registry key "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" the string "winpsd" which points to "%system%winpsd.exe"
Last update 21 November 2011

TOP

Malware :

Last 20