Home / malware

PDF

Win32.MyDoom.AE@mm

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.MyDoom.AE@mm is also known as Win32.MyDoom.AI, (Symantec.

Explanation :

This e-mail worm arrives in mail messages. The worm has its own SMTP e-mailing engine; it also contains code to spread across peer-to-peer networks, such as Kazaa, Morpheus, eDonkey, etc.

Spreading across file-sharing networks

For some of the file-sharing software, the worm contains code to get the actual shared directory; for others, like LimeWire or eDonkey, the worm uses default, hardcoded values: "C:Program FileseDonkey2000incoming" or "C:Program FilesLimeWireShared".

The worm writes itself to these shared folders using one of the following file names:
porno, NeroBROM6.3.1.27, avpprokey, Ad-awareref01R349, winxp_patch, adultpasswds, dcom_patches,
K-LiteCodecPack2.34a, activation_crack, icq2004-final, winamp5 with randomly chosen extensions, chosen from "bat", "exe", "cmd", "pif", "scr" or even "zip".

Anti-anti-virus protection

When the worm detects the presence of another virus, or an antivirus engine in the computer's memory, it attempts to terminate the process. The file names it checks are:

i11r54n4.exe, irun4.exe, d3dupdate.exe, rate.exe, ssate.exe, winsys.exe, winupd.exe, SysMonXP.exe, bbeagle.exe,
Penis32.exe, teekids.exe, MSBLAST.exe, mscvb32.exe, sysinfo.exe, PandaAVEngine.exe, taskmon.exe, wincfg32.exe, outpost.exe, zonealarm.exe, navapw32.exe, navw32.exe, zapro.exe, msblast.exe, netstat.exe.

To avoid virus updates, the worm disables access to the following list of anti-virus servers, by adding the line %server% = 127.0.0.1 in the %system32%driversetchosts file:

grisoft.com, www.grisoft.com, www.trendmicro.com, rads.mcafee.com, customer.symantec.com, liveupdate.symantec.com, us.mcafee.com, updates.symantec.com, update.symantec.com, www.nai.com, secure.nai.com, dispatch.mcafee.com, download.mcafee.com, my-etrust.com, www.my-etrust.com, mast.mcafee.com, ca.com, www.ca.com, www.networkassociates.com, www.kaspersky.com, www.avp.com, kaspersky-labs.com, kaspersky.com, f-secure.com, www.f-secure.com, viruslist.com, www.viruslist.com, liveupdate.symantecliveupdate.com, mcafee.com, www.mcafee.com, sophos.com, www.sophos.com, securityresponse.symantec.com, www.symantec.com.

E-mail spreading

The e-mail spreading engine is classic. The worm harvests e-mail addresses from files likely to contain them across the hard disk drive. It avoids to send infected e-mail messages to servers that contain one of the strings below:

accoun, certific, listserv, ntivi, support, icrosoft, admin, page, the.bat, gold-certs, feste, submit, help, service, privacy, somebody, soft, contact, site, rating, bugs, your, someone, anyone, nothing, nobody, noone, webmaster, postmaster, samples, info, root, AD_KNX.K:, mozilla, utgers.ed, tanford.e, acketst, secur, isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, usenet, fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix, berkeley, foo., .mil, gov., .gov, ruslis, nodomai, mydomai, example, inpris, borlan, sopho, panda, hotmail, msn., icrosof, syma.

The "From" e-mail field is obviously spoofed; it's generated automatically using first and last names from predefined lists.

Last update 21 November 2011

 

TOP