Virus Profile: W32/Mydoom.f@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 2/19/2004
Date Added: 2/19/2004
Origin: Unknown
Length: Varies
Type: Virus
Subtype: E-mail worm
DAT Required: 4327
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Upon executing the virus, a fake error message is displayed as in the following image.  The message can also be "File can not be opened" or "Unable to open specified file".  Notepad may be run, displaying non-readable characters, similar in the .a variant.

 

  • Existence of the files and registry entries listed above
  • Two marker registry keys are created:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Shell
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Shell

Methods of Infection

Aliases

I-Worm.Mydoom.e (AVP), W32/Mydoom-F (Sophos), W32/Mydoom.F.worm (Panda), WORM_MYDOOM.F (Trend)
   

Virus Characteristics

-- Update March 11, 2004 --
 The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update February 23rd, 2004 --
The risk assessment of this threat has been raised to Medium due to increased prevalence.

Mydoom only infects systems running Microsoft Windows.

If you think that you may be infected with Mydoom, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This is a mass-mailing and share-hopping worm that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • contains ability to copy itself to mapped drives
  • contains a backdoor component
  • contains a Denial of Service payload
  • contains payload of deleting files

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case

Subject: (Varies, such as)

  • (Blank)
  • Announcement
  • ApprovedNews
  • Attention
  • automatic responder
  • Bug
  • Current Status
  • EXPIRED ACCOUNT
  • For your information
  • hello
  • hi, it's me
  • hi
  • IMPORTANT
  • Information Warning
  • Love is Love is...
  • Please read
  • Please reply
  • Re: Approved
  • Re: Thank You
  • Re:
  • Read it immediately
  • read now!
  • Read this
  • Readme
  • Recent news
  • Recent news
  • Something for you
  • Undeliverable message
  • Unknown
  • You have 1 day left
  • You use illegal File Sharing...
  • Your IP was logged
  • Your account is about to be expired
  • Your credit card
  • Your order is being processed
  • Your order was registered
  • Your request is being processed
  • Your request was registered

Body: (Varies, such as)

  • Check the attached document.
  • Details are in the attached document. You need Microsoft Office to open it.
  • Greetings
  • Here is the document.
  • Here it is
  • I have your password :)
  • I wait for your reply.
  • I wait for your reply.
  • I'm waiting Okay
  • I'm waiting
  • Information about you
  • Is that from you?
  • Is that yours?
  • Kill the writer of this document!
  • OK  Everything ok?
  • Please see the attached file for details
  • Please, reply
  • Read the details.
  • Reply
  • See the attached file for details
  • See you Here it is
  • See you
  • Something about you
  • Take it
  • The document was sent in compressed format.
  • We have received this document from your e-mail.
  • You are a bad writer
  • You are bad

Attachment: (Varies [.cmd, .bat, .pif, .com, .scr, .exe] - often arrives in a zip archive)

  • creditcard.bat
  • creditcard.zip
  • details.zip
  • mail.zip
  • notes.zip
  • part1.zip
  • paypal.zip
  • photo.zip
  • textfile.zip
  • vpf.zip
  • website.zip
  • %random characters%.zip

The icon used by the file tries to make it appear as if the attachment is a text file:

When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory using random filenames (Eg: hiruszomrk.exe)

  • %SYSDIR%\hiruszomrk.exe

(Where %SYSDIR% is the Windows System directory, for example C:\windows\system)

It creates the following registry entry to hook the Windows startup, inserting the previously generated filename:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "nhch" = %SYSDIR%\hiruszomrk.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "nhch" = %SYSDIR%\hiruszomrk.exe

Note: the key "nhch" is also randomly generated.

The virus also uses a DLL that it creates in the Windows System directory using random filenames (Eg: vppu.dll):

  • %SYSDIR%\vppu.dll (8,068 bytes)

The worm enumerates the current running processes.  It attempts to shut down processes with the following names:

  • avp.
  • avp32
  • intrena
  • mcafe
  • navapw
  • navw3
  • norton
  • reged
  • taskmg
  • taskmo

Shared drives propagation

The worm makes copies of itself as .zip archives or .exe in different directories on local and mapped drives. The filenames are random alphabetical names and are 34 Kbytes in size.

The worm searches local and mapped drives to delete a percentage of files with the following extensions: [*.bmp*, *.avi*, *.jpg*, *.sav*, *.xls*, *.doc*, *.mdb*]

Remote Access Component

The worm listens on port 1080 on the infected machine.  It also opens a list of other ports.  The range of ports are from 3000 ~ 5000.

Denial of Service Component

If the system date is between 17th and 22nd of any month, the worm will perform a denial of service attack against the following websites:

  • www.microsoft.com
  • www.riaa.com

The denial of service executes by creating random number of threads each of which makes a HTTP GET request from random ports on the infected machines to port 80 of the target sites.

   
All Users :
Use specified engine and DAT files for detection and removal.

Stinger
 Stinger  has been updated to assist in detecting and repairing this threat.

Additional Windows ME/XP removal considerations

McAfee Security Threatscan:

ThreatScan signatures that can detect the W32/Mydoom.f@MM virus are available from:

ThreatScan Signature version: 2004-02-23

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or-

  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4065

ThreatScan users can also detect the virus by running a Resource Discovery Task using the following settings:

-Select TCP Port scan
 -Enter ports: 1080,3000-5000

McAfee IntruShield
McAfee Intrushield may detect W32/Mydoom.f@MM traffic with one of the following signatures:
  • SMTP: Worm Detected in Attachment
  • STMP: Possible Virus Attachment File with Double Extension

In addition, an additional W32/Mydoom.f@MM signature was released on 2/24/2004.

McAfee Security Desktop Firewall
 To prevent possible remote access McAfee Desktop Firewall users can temporarily block incoming TCP port 1080, and ports 3000-5000.