Virus Profile: W32/Mydoom.v@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 9/9/2004
Date Added: 9/10/2004
Origin: Unknown
Length: 18,432
Type: Virus
Subtype: Internet Worm
DAT Required: 4391
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existance of files and registry keys as mentioned above.
  • Network traffic outgoing to port 25
  • HTTP traffic to one of the above listed sites, as it attempts to download BackDoor-CEB.c

    • Methods of Infection

    This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files as mentioned above.

    Aliases

    MyDoom.R@mm (Norman), W32.Mydoom.T@MM (Symantec), W32/MyDoom-V (Sophos), Win32.Mydoom.W (CA), WORM_MYDOOM.P (Trend)
       

    Virus Characteristics

      -- Update September 10, 2004 --
    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    http://edition.cnn.com/2004/TECH/internet/09/10/mydoom.virus.reut/

    --

    This new variant, packed with UPX, bears the following characteristics:

    • contains its own SMTP engine for constructing messages
    • harvests target email addresses from the victim machine
    • forges the From: header of outgoing messages
    • downloads BackDoor-CEB.c over HTTP

    Details

    From: (spoofed From: header)
    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    The from address is either one of the harvested addresses or constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

    The common names used are as follows:

    • Porter 
    • Tucker 
    • Stevens
    • Simpson
    • Webb   
    • Wells  
    • Freeman
    • Murray 
    • Gomez  
    • Ortiz  
    • Marshall   
    • Cruz   
    • Parker 
    • Campbell
    • Phillips   
    • Turner 
    • Roberts
    • Perez  
    • Mitchell   
    • Carter 
    • Nelson 
    • Gonzalez   
    • Baker  
    • Adams  
    • Green  
    • Hill   
    • Lopez  
    • Wright 
    • King   
    • Hernandez  
    • Young  
    • Allen  
    • Hall   
    • Walker 
    • Lee
    • Lewis  
    • Rodriguez  
    • Clark  
    • Robinson   
    • Martinez   
    • Garcia 
    • Thompson   
    • Martin 
    • Harris 
    • White
    • Jackson
    • Anderson   
    • Taylor 
    • Moore  
    • Wilson 
    • Miller 
    • Davis  
    • Brown  
    • Jones  
    • Williams   
    • Johnson
    • Smith  
    • Leon   
    • Tommy  
    • Lloyd  
    • Bill   
    • Ronnie 
    • Jon
    • Alex   
    • Calvin 
    • Tom
    • Jim
    • Jay
    • Oscar  
    • Miguel 
    • Clifford   
    • Theodore   
    • Micheal
    • Marcus 
    • Francisco  
    • Leroy  
    • Mario  
    • Bernard
    • Alexander
    • Barry  
    • Randall
    • Troy   
    • Ricky  
    • Carl   
    • Henry  
    • Douglas
    • Harold 
    • Peter  
    • Patrick
    • Walter 
    • Dennis 
    • Jerry  
    • Joshua 
    • Gregory
    • Raymond
    • Andrew
    • Stephen
    • Eric   
    • Scott  
    • Frank  
    • Jeffrey
    • Larry  
    • Jose   
    • Timothy
    • Gary   
    • Matthew
    • Jason  
    • Kevin  
    • Anthony
    • Ronald 
    • Brian  
    • Edward 
    • Steven 
    • Kenneth
    • George 
    • Donald 
    • Mark   
    • Paul   
    • Daniel 
    • Christopher
    • Thomas 
    • Joseph 
    • Charles
    • Richard
    • David  
    • William
    • Michael
    • Robert 
    • John   
    • James  

    The worm searches for email addresses on the local harddrive within file with these file extensions:

    • wab
    • xls
    • vbs
    • uin
    • txt
    • tbb
    • stm
    • sht
    • php
    • msg
    • mht
    • jsp
    • htm
    • eml
    • dht
    • dbx
    • cgi
    • cfg
    • asp

    The virus avoids emailing itself to target domains containing any of the following strings:

    • gold-certs 
    • feste  
    • submit 
    • help   
    • service
    • privacy
    • somebody
    • contact
    • site   
    • someone
    • anyone 
    • nothing
    • nobody 
    • noreply
    • noone  
    • webmaster  
    • news   
    • rating 
    • postmaster 
    • samples
    • info   
    • root   
    • www
    • upport 
    • abuse  
    • accoun 
    • certific   
    • listserv   
    • bsd
    • ntivi  
    • admin  
    • icq.com
    • mozilla
    • utgers.ed  
    • tanford.e  
    • pgp
    • acketst
    • secur  
    • isc.o  
    • isi.e
    • ripe.  
    • arin.  
    • sendmail   
    • rfc-ed 
    • ietf   
    • iana   
    • usenet 
    • fido   
    • kernel 
    • google 
    • ibm.com
    • fsf.   
    • gnu
    • mit.e  
    • math   
    • berkeley   
    • support
    • messagelabs
    • antivi 
    • kasp   
    • linux  
    • unix   
    • spam   
    • @iana  
    • @foo.  
    • .mil   
    • gov.   
    • .gov   
    • icrosoft   
    • ruslis 
    • nodomai
    • mydomai
    • example
    • inpris 
    • borlan 
    • sopho  
    • panda  
    • icrosof
    • syman  
    • avp.   
    • -._!   

    Subject:

    The subject can be empty or random, but can also be taken from a hardcoded list. For example, the subject may look like:

    • You win!   
    • thanks!
    • Thank you! 
    • read it immediately
    • Re: Your document  
    • Re: Status 
    • Re: Question   
    • Re: Proof of concept   
    • Re: Message
    • Re: Hi 
    • Re: Hello
    • Private document   
    • Notice again   
    • News   
    • my 
    • Information
    • important  
    • Hi!
    • hi 
    • here       
    • hello  


    Body:

    Like the subject, also the body can be empty or contain random chars, but can also contain strings from this hardcoded list:

    • screensaverlol!
    • fun photos 
    • New game   
    • relax  
    • Virus removal tool 
    • You are infected by virus.
    • Run this exe apply this patch!  
    • apply patch.   
    • game   
    • fun game!  
    • fun!   
    • lol!   
    • See the file.  
    • See attached file for details. 
    • Please read the important document.
    • Please read the attached file. 
    • Please confirm the document.   
    • I have attached document.  
    • Your requested mail has been attached. 
    • Your archive is attached.  
    • Waiting for a Response.
    • Please read the attachment. Thanks!
    • Please see the attached file for details   
    • Please read the document.  
    • Please read the attached file! 
    • Please confirm!
    • Please answer quickly!
    • Monthly news report.   
    • For more details see the attachment.   
    • For further details see the attachment.
    • Can you confirm it?

    Followed by one of these strings:

    • Norton AntiVirus - www.symantec.de 
    • F-Secure AntiVirus - www.f-secure.com  
    • Norman AntiVirus - www.norman.com  
    • Panda AntiVirus - www.pandasoftware.com
    • Kaspersky AntiVirus - www.kaspersky.com
    • MC-Afee AntiVirus - www.mcafee.com 
    • Bitdefender AntiVirus - www.bitdefender.com
    • MessageLabs AntiVirus - www.messagelabs.com

    Attachment:

    The worm attaches itself to the mails using one of the filenames it contains and combines it with one the following file extensions:

    • .EXE
    • .SCR

    The worm is also able to sent itself a ZIP attachment.

    Example:

    • info.zip
    • new.exe
    • pic.exe
    • lol.scr
    • photo.exe
    • new.zip
    • report.zip
    • antivirus.exe
    • message,.zip

    After execution, the worm copies itself to the \%windir%\system32 folder as windrv32.exe and created the following registry keys:

    •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\   CurrentVersion\Run "WinSPF" =
      C:\WINNT\System32\windrv32.exe

    Additional, it copies itself to

    • C:\Documents and Settings\(Current User)\Start Menu\Programs\Startup\autostart.exe

    It tries to download BackDoor-CEB.c from these sites:

    • http://www.llc.unibo.it/
    • http://www.surrenderzeeland.nl/
    • http://www.mercyships.de/
    • http://www.hiw.kuleuven.ac.be/
    • http://www.ach.ch/
    • http://vugs.geog.uu.nl/
    • http://www.planetboredom.net/
    • http://guttorm.hveem.no/
       

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations