My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.MyDoom.AE@mm

MEDIUM
MEDIUM
~32 K (~74 K unpacked)
(Win32.MyDoom.AI (Symantec), Win32.MyDoom.AL (VirusBuster))

Symptoms

Presence of the files lsasrv.exe, version.ini and hserv.sys in the Windows System folder.

The registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run contains the item "lsass" that points to the "lsasrv.exe" file in the system directory.

The registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon contains the item "Shell" with a value of "explorer.exe %system%\lsasrv.exe".

Removal instructions:


1) Terminate the viral process
2) Manually delete the files lsasrv.exe, version.ini and hserv.sys from the Windows %System% folder (or let BitDefender do this for you)
4) Delete the key "lsass" from HKLM\Software\Microsoft\Windows\CurrentVersion\Run
5) Modify the "Shell" field of the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to "Explorer.exe".
6) Reboot your system.

Analyzed By

BitDefender Research Team

Technical Description:

This e-mail worm arrives in mail messages. The worm has its own SMTP e-mailing engine; it also contains code to spread across peer-to-peer networks, such as Kazaa, Morpheus, eDonkey, etc.

Spreading across file-sharing networks

For some of the file-sharing software, the worm contains code to get the actual shared directory; for others, like LimeWire or eDonkey, the worm uses default, hardcoded values:  "C:\Program Files\eDonkey2000\incoming" or "C:\Program Files\LimeWire\Shared".

The worm writes itself to these shared folders using one of the following file names:
porno, NeroBROM6.3.1.27, avpprokey, Ad-awareref01R349, winxp_patch, adultpasswds, dcom_patches,
K-LiteCodecPack2.34a, activation_crack, icq2004-final, winamp5 with randomly chosen extensions, chosen from "bat", "exe", "cmd", "pif", "scr" or even "zip".

Anti-anti-virus protection

When the worm detects the presence of another virus, or an antivirus engine in the computer's memory, it attempts to terminate the process. The file names it checks are:

i11r54n4.exe, irun4.exe, d3dupdate.exe, rate.exe, ssate.exe, winsys.exe, winupd.exe, SysMonXP.exe, bbeagle.exe,
Penis32.exe, teekids.exe, MSBLAST.exe, mscvb32.exe, sysinfo.exe, PandaAVEngine.exe, taskmon.exe, wincfg32.exe, outpost.exe, zonealarm.exe, navapw32.exe, navw32.exe, zapro.exe, msblast.exe, netstat.exe.

To avoid virus updates, the worm disables access to the following list of anti-virus servers, by adding the line %server% = 127.0.0.1 in the %system32%\drivers\etc\hosts file:

grisoft.com, www.grisoft.com, www.trendmicro.com, rads.mcafee.com, customer.symantec.com, liveupdate.symantec.com, us.mcafee.com, updates.symantec.com, update.symantec.com, www.nai.com, secure.nai.com, dispatch.mcafee.com, download.mcafee.com, my-etrust.com, www.my-etrust.com, mast.mcafee.com, ca.com, www.ca.com, www.networkassociates.com, www.kaspersky.com, www.avp.com, kaspersky-labs.com, kaspersky.com, f-secure.com, www.f-secure.com, viruslist.com, www.viruslist.com, liveupdate.symantecliveupdate.com, mcafee.com, www.mcafee.com, sophos.com, www.sophos.com, securityresponse.symantec.com, www.symantec.com.

E-mail spreading

The e-mail spreading engine is classic. The worm harvests e-mail addresses from files likely to contain them across the hard disk drive. It avoids to send infected e-mail messages to servers that contain one of the strings below:

accoun, certific, listserv, ntivi, support, icrosoft, admin, page, the.bat, gold-certs, feste, submit, help, service, privacy, somebody, soft, contact, site, rating, bugs, your, someone, anyone, nothing, nobody, noone, webmaster, postmaster, samples, info, root, AD_KNX.K:, mozilla, utgers.ed, tanford.e, acketst, secur, isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, usenet, fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix, berkeley, foo., .mil, gov., .gov, ruslis, nodomai, mydomai, example, inpris, borlan, sopho, panda, hotmail, msn., icrosof, syma.

The "From" e-mail field is obviously spoofed; it\'s generated automatically using first and last names from predefined lists.