Win32.MyDoom.S@mm
MEDIUM
MEDIUM
27136 (packed with UPX)
(I-Worm.Mydoom.q (KAV), W32.Mydoom.Q@mm (NAV))
Symptoms
Presence of "winpsd.exe" in %system% (e.g. C:\Windows\System32) folder, in processes list and presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" under the string "winpsd".
Presence of "rasor38a.dll" in %windir% (e.g. C:\Windows) folder, which is a copy of the worm.
Removal instructions:
IMPORTANT! The tool must be run in Safe Mode in order to detect and clean one or more stealth components of MyDoom worm.
Manual removal:
open Task Manaker by pressing CTRL+ALT+DEL select End Process on winpsd.exe delete %system% winpsd.exe and %windows% rasor38a.dll open Registry Editor using +, regedit,
remove this key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winpsd
Automatic removal: let BitDefender disinfect infected files
Analyzed By
Ciubotariu Mircea BitDefender Antivirus Researcher
Technical Description:
spreads via email, attatched with the name "photos_arc.exe"; the subject of the email is "Photos"; the body is "LOL!;))))" while the sender is spoofed
it avoids sending itself to certain email addresses containing several sub-strings
downloads as "winvpn32.exe" and executes it from the following addresses:
http://www.xxxxxxxxxx.com/ispy.1.jpg
http://www.xxxxxxxxxx.com/coco3.jpg
http://www.xxxxxxxxxx.com/guestbook/temp/temp587.gif
http://xxxxxxxxxxx.com/guestbook/temp/temp728.gif
the downloaded file is Backdoor.Surila, a component with stealth capabilities which makes it invisible in processes list and on hard drive
when download of the backdoor component was successful the folowing registry key is added as a marker "HKCU\SOFTWARE\Microsoft\Internet Explorer\InstaledFlashhMX" set to "1"
checks the mutex "43jfds93872" in order to avoid reinfection
copies itself to "%system%\winpsd.exe" and "%windows%\rasor38a.dll"
adds to the start up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" the string "winpsd" which points to "%system%\winpsd.exe"
SHARE
THIS ON