Home / malware Win32.Mydoom.R@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Mydoom.R@mm.
Explanation :
The worm comes by mail, with the following characteristics:
Mail body:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'test'
Mail subject:
'Mail Delivery System'
'Mail Transaction Failed'
'Server Report'
'Status'
'Error'
The sender of the mail is spoofed.
Once executed, the worm:
- copies itself to Windows System directory as taskmon.exe;
- opens notepad with some binary data in it;
- checks for presence in memory by means of the mutex 'SwebSipcSmtxS1';
- searches in files with the extension wab,htm,sht,php,asp,dbx,tbb,adb for mail addresses;
- also checks the default Windows Addressbook file;
- uses DNS and the registry in order to find a STMP server;
- opens multiple threads for sending mail;
- downloads the file at 'http://jljfytdtk.chat.ru/DSC00173.jpg' as 'zsdssfds.exe'.
This worm is by no means special.Last update 21 November 2011
