Home / malwarePDF  

Win32.Mydoom.M@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Mydoom.M@mm is also known as MyDoom.

Explanation :

Win32.MyDoom.M@mm is a mass mailing worm with a backdoor component which listens on port 1034.
The worm is packed with UPX and its size can vary from 28kb to 30kb.

When executed it creates a copy of itself named %Windir%/java.exe and drops a backdoor component called %Windir%/services.exe.

In order to be executed at startup it creates the following registry keys and values:

HKLMSoftwareMicrosoftDaemon
HKCUSoftwareMicrosoftDaemon
HKLMSoftwareMicrosoftWindowsCurrentVersionRunJavaVM = "%Windir%/java.exe"
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices = "%Windir%/services.exe"

The worm searches the system for email addresses, ignoring those containing:
mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp

It also looks for e-mail addresses in open Outlook windows and may use the following search engines for the same purpose:
http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

Then, using it's own SMTP engine, the worm will send e-mails to the addresses it has found.

The subject will resemble one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

The message will contain the worm in an attachment, with one of the following file names:
readme
instruction
transcript
mail
letter
file
text
attachment
document
message

The file has a double extension, the first being one of ".doc" , ".txt" , ".htm" or ".html", and the second ".cmd" , ".bat" , ".com" , ".exe" , ".scr" or ".pif" .

The attachment may or may not be zipped.

Last update 21 November 2011

 

TOP