Home / malware Win32.Mydoom.{I,J}@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Mydoom.{I,J}@mm is also known as Email-Worm.Win32.Mydoom.I, Worm/Mydoom.I, Win32/Mydoom.J@mm, WORM_MYDOOM.GEN, W32.Mydoom.J@mm.
Explanation :
The worm uses two mechanisms to propagate: by e-mail and by the Kaazaa peer to peer network. When it is first launched, it creates the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsExplorerComDlg32Version registry key (warning, the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsExplorerComDlg32 registry key is part of a normal Windows installation and should not be edited or deleted. Only the Version subkey should be deleted) to mark its presence. It creates a mutex named SwebSipcSmtxS0 to prevent multiple instances (if such a mutex already exists, the exection is aborded, because it is assumed that the worm is already running). It creates a copy of itself in the %System% folder with the name taskmon.exe and adds an entry to the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun registry key with the name Taskmon to assure its execution on every startup. It creates a file with the name Message in the %Temp% folder with random data and opens it with Notepad. Verifies if the peer to peer file sharing program Kaazaa is installed on the computer, and if it's found, a copy of the executable is placed in the first shared directory with one of the following names:
icq2004-final activation_crack strip-girl-2.0bdcom_patches rootkitXP office_crack nuke2004 winamp5
with one of the following extensions:
.exe .scr .pif .bat
Drops a randomly named dll with size ~5KB in the %System% folder (detected by BitDefender as Trojan.Keylogger.BugBear.B) which acts as a keylogger and saves the keystrokes of the user in encrypted from to a randomly named file with the extension dll in the %System% folder.
The worm periodically checks the contents of the clipboard and saves it in encrypted format to an other randomly named file with the extension dll in the %System% folder. These two files are emailed periodically to the author of the worm.
If scans the hard drives for files with the following extensions and tries to extract e-mail addresses from them:
.adb .asp .dbx .htm .php .pl .sht .tbb .txt .wab
Aditionaly the address book of Outlook and the cookies folder of Internet Explorer is scanned. E-mail addresses which contain the following strings in them are ignored:
accoun certific listserv ntivi support icrosoft admin page the.bat gold-certs feste submit not help service privacy somebody soft contact site rating bugs you your someone anyone nothing nobody noone webmaster postmaster samples info root mozilla utgers.ed tanford.e pgp acketst secur isc.o isi.e ripe. arin. sendmail rfc-ed ietf iana usenet fido linux kernel google ibm.com fsf. gnu mit.e bsd math unix berkeley foo. .mil gov. .gov ruslis nodomai mydomai example inpris borlan sopho panda hotmail msn. icrosof syma avp .edu abuse
When an e-mail address is found, an attempt is made to send a mail to it using the embedded SMTP engine. Because of the simple implementation of the included engine, technical measures such as greylisting are effective in combating the propagation of the worm. The send e-mail has the following characteristics:
The from field is spoofed and contains one of the following names:
sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael alex john
The subject field contains one of the following texts:
<blank> test hi hello Mail Delivery System Mail Transaction Failed Server Report Status Error
The body of the message contains the following texts:
Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. test <blank>
The attachment has one of the following names:
body data doc document file message readme test text
and one of the following extensions:
.exe .scr .pif .bat .com
It tries to periodically kill the following security related (anti virus, firewall, anti spyware) processes:
_AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ANTI-TROJAN.EXE APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95.EXE CLAW95CF.EXE CLEANER.EXE CLEANER3.EXE DVP95_0.EXE DVP95.EXE ECENGINE.EXE ESAFE.EXE ESPWATCH.EXE F-AGNT95.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FINDVIRU.EXE FP-WIN.EXE FPROT.EXE FRW.EXE IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFACE.EXE IOMON98.EXE JEDI.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LUALL.EXE MOOLIVE.EXE MPFTRAY.EXE N32SCANW.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVW32.EXE NAVWNT.EXE NISUM.EXE NMAIN.EXE NORMIST.EXE NUPGRADE.EXE NVC95.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PAVSCHED.EXE PAVW.EXE PCCWIN98.EXE PCFWALLICON.EXE PERSFW.EXE RAV7.EXE RAV7WIN.EXE RESCUE.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SERV95.EXE SMC.EXE SPHINX.EXE SWEEP95.EXE TBSCAN.EXE TCA.EXE TDS2-98.EXE TDS2-NT.EXE VET95.EXE VETTRAY.EXE VSCAN40.EXE VSECOMR.EXE VSHWIN32.EXE VSSTAT.EXE WEBSCANX.EXE WFINDV32.EXE ZONEALARM.EXELast update 21 November 2011