Home / malware Win32.Mydoom.P@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Mydoom.P@mm is also known as Mydoom.
Explanation :
This worm has more than one spreading method ( it is a massmailer as well as a p2p worm ) and it drops
several components.
When run, the worm displays a random error message, picked from this list:
'File is corrupted.'
'Could not initialize installation. File size expected=26523,size returned=26344.'
'Pack method not implemented.'
'CRC checksum failed.'
The main worm file drops two files to the hard drive, %SYSTEM%\setupex.exe and %WINDIR%\svchost.exe and copies itself to %SYSTEM%\upu.exe.
It starts the two dropped files and then exits.
Svchost.exe file:
Creates a named mutex called ARKO.
Looks for the KAZAA directory, and copies the file %SYSTEM%\rupu.exe there, using one of the names:
'tc6.X_Uni_crk'
'the_bat2.11.X_crack_by_UTeam'
'pc-telephone'
'klcodec250f'
'wrar340'
'wrar3.40xcrk'
'MyIE3.05b'
'lProxyServ1.1'
'WM9Codecs'
'winKiller'
'freeMailBases'
'Winamp 5.5b'
'YN 2.6'
with and .exe extension.
It then enumerates the shares in the network and tries to copy the same file in any available network share.
It adds itself to the system startup by creating the registry value
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\nwiz = %WINDIR%\svchost.exe
It then gathers mail addresses from files with the extension php,htm,html,txt,tbb
and then it sends mail (using its own SMTP engine and DNS queries), with a spoofed sender, in following format:
Subjects:
'Hi! How are you?'
'Hello. We would like to present to you...'
'Baby, where are you?'
'Luck letter'
'Look that muck in archive you have sent me: (('
'Free dispatch of sex magazine!'
'Subscription to news of electronic magazine.'
'Mail delivery report.'
Bodies:
'Why have you absolutely forgotten about me, my friend? Why do not you write, do not answer my letters?'
'Our company offers new and completely revolutionary kind of services. Callsfrom your cellular phone worldwide free of charge! If you are interested in our offer answer this letter and receive from our manager full description of the service.'
'We have agreed to go to the party to our friends yesterday. Why are you silent?'
'Send this letter to any of your friends and luck will find you.'
'See attachment'
'Best photos of our best girls!'
'We suggest you to subscribe for free of charge newsletter of our electronic magazine.
The questionnaire is applied in attachment of this letter.'
'Not valid message headers for mail system.The message sent as a binary attachment.'
Attchments:
'present.exe'
'127D0A1D-4EF2-11D1-8608-00C04FC295EE.doc.cat.exe'
'binary_content.pif'
'binary.pif'
'JIHSIE8937745JH.SETOUUY.23542435-EWTRWE8324.EXE'
'PUBLIC_127D0A1D-4EF2-11D1-8608-00C04FC295EE.ZIP.ARH.PIF'
'SubscribeFLASH.exe'
'40EC5FBE.EXE'Last update 21 November 2011
