BitDefender Antivirus
My BitDefender
Go

Win32.MyDoom.S@mm

( I-Worm.Mydoom.q (KAV), W32.Mydoom.Q@mm (NAV) )
Spreading: medium
Damage: medium
Size: 27136 (packed with UPX)
Discovered: 2004 Aug 16

SYMPTOMS:

Presence of \"winpsd.exe\" in %system% (e.g. C:\\Windows\\System32) folder, in processes list and presence in start-up registry key \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" under the string \"winpsd\".

Presence of \"rasor38a.dll\" in %windir% (e.g. C:\\Windows) folder, which is a copy of the worm.

TECHNICAL DESCRIPTION:

  • spreads via email, attatched with the name \"photos_arc.exe\"; the subject of the email is \"Photos\"; the body is \"LOL!;))))\" while the sender is spoofed

  • it avoids sending itself to certain email addresses containing several sub-strings

  • downloads as \"winvpn32.exe\" and executes it from the following addresses:
    http://www.xxxxxxxxxx.com/ispy.1.jpg
    http://www.xxxxxxxxxx.com/coco3.jpg
    http://www.xxxxxxxxxx.com/guestbook/temp/temp587.gif
    http://xxxxxxxxxxx.com/guestbook/temp/temp728.gif

  • the downloaded file is Backdoor.Surila, a component with stealth capabilities which makes it invisible in processes list and on hard drive

  • when download of the backdoor component was successful the folowing registry key is added as a marker \"HKCU\\SOFTWARE\\Microsoft\\Internet Explorer\\InstaledFlashhMX\" set to \"1\"

  • checks the mutex \"43jfds93872\" in order to avoid reinfection

  • copies itself to \"%system%\\winpsd.exe\" and \"%windows%\\rasor38a.dll\"

  • adds to the start up registry key \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" the string \"winpsd\" which points to \"%system%\\winpsd.exe\"

    • Removal instructions:


    IMPORTANT! The tool must be run in Safe Mode in order to detect and clean one or more stealth components of MyDoom worm.

    Manual removal:
    open Task Manaker by pressing CTRL+ALT+DEL select End Process on winpsd.exe delete %system% winpsd.exe and %windows% rasor38a.dll open Registry Editor using +, regedit,
    remove this key: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\winpsd

    Automatic removal: let BitDefender disinfect infected files

    ANALYZED BY:

    Ciubotariu MirceaBitDefender Antivirus Researcher
    Quick Links » New Game Safe » Renew License » Self Service » Free Online Scanner » Press Center
    ©   2012 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy