Win32.Mydoom.R@mm

SYMPTOMS:

Presence of mutex \'SwebSipcSmtxS1\'.
Presence of files \'zsdssfds.exe\' and \'taskmon.exe\' in %SYSDIR%.

TECHNICAL DESCRIPTION:

The worm comes by mail, with the following characteristics:

Mail body:

\'This is a multi-part message in MIME format.\'
\'Mail transaction failed. Partial message is available.\'
\'The message contains Unicode characters and has been sent as a binary attachment.\'
\'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.\'
\'test\'

Mail subject:

\'Mail Delivery System\'
\'Mail Transaction Failed\'
\'Server Report\'
\'Status\'
\'Error\'

The sender of the mail is spoofed.



Once executed, the worm:
- copies itself to Windows System directory as taskmon.exe;
- opens notepad with some binary data in it;
- checks for presence in memory by means of the mutex \'SwebSipcSmtxS1\';
- searches in files with the extension wab,htm,sht,php,asp,dbx,tbb,adb for mail addresses;
- also checks the default Windows Addressbook file;
- uses DNS and the registry in order to find a STMP server;
- opens multiple threads for sending mail;
- downloads the file at \'http://jljfytdtk.chat.ru/DSC00173.jpg\' as \'zsdssfds.exe\'.

This worm is by no means special.

Removal instructions:

Identify and kill the process ( if active ), then remove the registry keys and files from the system.
Automatic removal: let BitDefender disinfect infected files.

ANALYZED BY:

Alexandru Carp,
BitDefender Virus Researcher