My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Mydoom.R@mm

VERY LOW
LOW
17408 (packed)

Symptoms

Presence of mutex 'SwebSipcSmtxS1'.
Presence of files 'zsdssfds.exe' and 'taskmon.exe' in %SYSDIR%.

Removal instructions:

Identify and kill the process ( if active ), then remove the registry keys and files from the system.
Automatic removal: let BitDefender disinfect infected files.

Analyzed By

Alexandru Carp BitDefender Virus Researcher

Technical Description:

The worm comes by mail, with the following characteristics:

Mail body:

'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'test'

Mail subject:

'Mail Delivery System'
'Mail Transaction Failed'
'Server Report'
'Status'
'Error'

The sender of the mail is spoofed.



Once executed, the worm:
- copies itself to Windows System directory as taskmon.exe;
- opens notepad with some binary data in it;
- checks for presence in memory by means of the mutex 'SwebSipcSmtxS1';
- searches in files with the extension wab,htm,sht,php,asp,dbx,tbb,adb for mail addresses;
- also checks the default Windows Addressbook file;
- uses DNS and the registry in order to find a STMP server;
- opens multiple threads for sending mail;
- downloads the file at 'http://jljfytdtk.chat.ru/DSC00173.jpg' as 'zsdssfds.exe'.

This worm is by no means special.