My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mydoom.{I,J}@mm

MEDIUM
HIGH
~50 Kb
(Email-Worm.Win32.Mydoom.I, Worm/Mydoom.I, Win32/Mydoom.J@mm, WORM_MYDOOM.GEN, W32.Mydoom.J@mm)

Symptoms

  • presence of a file named taskmon.exe in the %System% folder
  • presence of the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Explorer\ComDlg32\Version registry key

  • presence of a registry key named Taskmon with the value %System%\taskmon.exe in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • security applications (anti virus, firewall, anti spyware) terminate unexpectedly
  • warning by the personal firewall about unexpected outgoing connections on port 25 (SMTP) when the worm tries to propagate

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Attila Balazs, virus researcher

Technical Description:

The worm uses two mechanisms to propagate: by e-mail and by the Kaazaa peer to peer network. When it is first launched, it creates the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Explorer\ComDlg32\Version registry key (warning, the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Explorer\ComDlg32 registry key is part of a normal Windows installation and should not be edited or deleted. Only the Version subkey should be deleted) to mark its presence. It creates a mutex named SwebSipcSmtxS0 to prevent multiple instances (if such a mutex already exists, the exection is aborded, because it is assumed that the worm is already running). It creates a copy of itself in the %System% folder with the name taskmon.exe and adds an entry to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key with the name Taskmon to assure its execution on every startup. It creates a file with the name Message in the %Temp% folder with random data and opens it with Notepad. Verifies if the peer to peer file sharing program Kaazaa is installed on the computer, and if it's found, a copy of the executable is placed in the first shared directory with one of the following names:
  • icq2004-final
  • activation_crack
  • strip-girl-2.0bdcom_patches
  • rootkitXP
  • office_crack
  • nuke2004
  • winamp5

with one of the following extensions:

  • .exe
  • .scr
  • .pif
  • .bat

Drops a randomly named dll with size ~5KB in the %System% folder (detected by BitDefender as Trojan.Keylogger.BugBear.B) which acts as a keylogger and saves the keystrokes of the user in encrypted from to a randomly named file with the extension dll in the %System% folder.

The worm periodically checks the contents of the clipboard and saves it in encrypted format to an other randomly named file with the extension dll in the %System% folder. These two files are emailed periodically to the author of the worm.

If scans the hard drives for files with the following extensions and tries to extract e-mail addresses from them:

  • .adb
  • .asp
  • .dbx
  • .htm
  • .php
  • .pl
  • .sht
  • .tbb
  • .txt
  • .wab

Aditionaly the address book of Outlook and the cookies folder of Internet Explorer is scanned. E-mail addresses which contain the following strings in them are ignored:

  • accoun
  • certific
  • listserv
  • ntivi
  • support
  • icrosoft
  • admin
  • page
  • the.bat
  • gold-certs
  • feste
  • submit
  • not
  • help
  • service
  • privacy
  • somebody
  • soft
  • contact
  • site
  • rating
  • bugs
  • you
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • webmaster
  • postmaster
  • samples
  • info
  • root
  • mozilla
  • utgers.ed
  • tanford.e
  • pgp
  • acketst
  • secur
  • isc.o
  • isi.e
  • ripe.
  • arin.
  • sendmail
  • rfc-ed
  • ietf
  • iana
  • usenet
  • fido
  • linux
  • kernel
  • google
  • ibm.com
  • fsf.
  • gnu
  • mit.e
  • bsd
  • math
  • unix
  • berkeley
  • foo.
  • .mil
  • gov.
  • .gov
  • ruslis
  • nodomai
  • mydomai
  • example
  • inpris
  • borlan
  • sopho
  • panda
  • hotmail
  • msn.
  • icrosof
  • syma
  • avp
  • .edu
  • abuse

When an e-mail address is found, an attempt is made to send a mail to it using the embedded SMTP engine. Because of the simple implementation of the included engine, technical measures such as greylisting are effective in combating the propagation of the worm. The send e-mail has the following characteristics:

The from field is spoofed and contains one of the following names:

  • sandra
  • linda
  • julie
  • jimmy
  • jerry
  • helen
  • debby
  • claudia
  • brenda
  • anna
  • alice
  • brent
  • adam
  • ted
  • fred
  • jack
  • bill
  • stan
  • smith
  • steve
  • matt
  • dave
  • dan
  • joe
  • jane
  • bob
  • robert
  • peter
  • tom
  • ray
  • mary
  • serg
  • brian
  • jim
  • maria
  • leo
  • jose
  • andrew
  • sam
  • george
  • david
  • kevin
  • mike
  • james
  • michael
  • alex
  • john

The subject field contains one of the following texts:

  • <blank>
  • test
  • hi
  • hello
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Status
  • Error

The body of the message contains the following texts:

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • test
  • <blank>

The attachment has one of the following names:

  • body
  • data
  • doc
  • document
  • file
  • message
  • readme
  • test
  • text

and one of the following extensions:

  • .exe
  • .scr
  • .pif
  • .bat
  • .com

It tries to periodically kill the following security related (anti virus, firewall, anti spyware) processes:

  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DVP95_0.EXE
  • DVP95.EXE
  • ECENGINE.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • F-AGNT95.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • F-STOPW.EXE
  • FINDVIRU.EXE
  • FP-WIN.EXE
  • FPROT.EXE
  • FRW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • JEDI.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCANW.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • OUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RESCUE.EXE
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VSCAN40.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE