My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mydoom.M@mm

MEDIUM
MEDIUM
~30kb.
(MyDoom)

Symptoms



Presence of files %Windir%/java.exe, with a size of about 30kb and the icon of an email, and the file %Windir%/Services.exe, with a size of 8kb.

Presence of the following registry keys :
    HKLM\Software\Microsoft\Daemon\
    HKCU\Software\Microsoft\Daemon\
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM = "%Windir%/java.exe"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services = "%Windir%/services.exe"

Unusual harddisk and internet activity.

The application %Windir%/services.exe is listening on port 1034.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Petrea Ruslan, virus researcher

Technical Description:


Win32.MyDoom.M@mm is a mass mailing worm with a backdoor component which listens on port 1034.
The worm is packed with UPX and its size can vary from 28kb to 30kb.

When executed it creates a copy of itself named %Windir%/java.exe and drops a backdoor  component called %Windir%/services.exe.

In order to be executed at startup it creates the following registry keys and values:

    HKLM\Software\Microsoft\Daemon\
    HKCU\Software\Microsoft\Daemon\
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM = "%Windir%/java.exe"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services = "%Windir%/services.exe"

The worm searches the system for email addresses, ignoring those containing:
        mailer-d
        spam
        abuse
        master
        sample
        accoun
        privacycertific
        bugs
        listserv
        submit
        ntivi
        support
        admin
        page
        the.bat
        gold-certs
        ca
        feste
        not
        help
        foo
        no
        soft
        site
        rating
        me
        you
        your
        someone
        anyone
        nothing
        nobody
        noone
        info
        winrar
        winzip
        rarsoft
        sf.net
        sourceforge
        ripe.
        arin.
        google
        gnu.
        gmail
        seclist
        secur
        bar.
        foo.com
        trend
        update
        uslis
        domain
        example
        sophos
        yahoo
        spersk
        panda
        hotmail
        msn.
        msdn.
        microsoft
        sarc.
        syma
        avp

It also looks for e-mail addresses in open Outlook windows and may use the following search engines for the same purpose:
       http://search.lycos.com
       http://www.altavista.com
       http://search.yahoo.com
       http://www.google.com

Then, using it's own SMTP engine, the worm will send e-mails to the addresses it has found.

The subject will resemble one of the following:
    hello  
    hi 
    error  
    status 
    test   
    report 
    delivery failed
    Message could not be delivered
    Mail System Error - Returned Mail  
    Delivery reports about your e-mail 
    Returned mail: see transcript for details  
    Returned mail: Data format error 

The message will contain the worm in an attachment, with one of the following file names:
    readme
    instruction
    transcript
    mail
    letter
    file
    text
    attachment
    document
    message

The file has a double extension, the first being one of ".doc" , ".txt" , ".htm" or ".html", and the second ".cmd" , ".bat" , ".com" , ".exe" , ".scr" or ".pif" .

The attachment may or may not be zipped.