Virus Profile: W32/Mydoom.v@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 9/9/2004
Date Added: 9/10/2004
Origin: Unknown
Length: 18,432
Type: Virus
Subtype: Internet Worm
DAT Required: 4391
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existance of files and registry keys as mentioned above.
  • Network traffic outgoing to port 25
  • HTTP traffic to one of the above listed sites, as it attempts to download BackDoor-CEB.c
  • Methods of Infection

    This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files as mentioned above.

    Aliases

    MyDoom.R@mm (Norman), W32.Mydoom.T@MM (Symantec), W32/MyDoom-V (Sophos), Win32.Mydoom.W (CA), WORM_MYDOOM.P (Trend)
       

    Virus Characteristics

      -- Update September 10, 2004 --
    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    http://edition.cnn.com/2004/TECH/internet/09/10/mydoom.virus.reut/

    --

    This new variant, packed with UPX, bears the following characteristics:

    • contains its own SMTP engine for constructing messages
    • harvests target email addresses from the victim machine
    • forges the From: header of outgoing messages
    • downloads BackDoor-CEB.c over HTTP

    Details

    From: (spoofed From: header)
    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    The from address is either one of the harvested addresses or constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

    The common names used are as follows:

    • Porter 
    • Tucker 
    • Stevens
    • Simpson
    • Webb   
    • Wells  
    • Freeman
    • Murray 
    • Gomez  
    • Ortiz  
    • Marshall   
    • Cruz   
    • Parker 
    • Campbell
    • Phillips   
    • Turner 
    • Roberts
    • Perez  
    • Mitchell   
    • Carter 
    • Nelson 
    • Gonzalez   
    • Baker  
    • Adams  
    • Green  
    • Hill   
    • Lopez  
    • Wright 
    • King   
    • Hernandez  
    • Young  
    • Allen  
    • Hall   
    • Walker 
    • Lee
    • Lewis  
    • Rodriguez  
    • Clark  
    • Robinson   
    • Martinez   
    • Garcia 
    • Thompson   
    • Martin 
    • Harris 
    • White
    • Jackson
    • Anderson   
    • Taylor 
    • Moore  
    • Wilson 
    • Miller 
    • Davis  
    • Brown  
    • Jones  
    • Williams   
    • Johnson
    • Smith  
    • Leon   
    • Tommy  
    • Lloyd  
    • Bill   
    • Ronnie 
    • Jon
    • Alex   
    • Calvin 
    • Tom
    • Jim
    • Jay
    • Oscar  
    • Miguel 
    • Clifford   
    • Theodore   
    • Micheal
    • Marcus 
    • Francisco  
    • Leroy  
    • Mario  
    • Bernard
    • Alexander
    • Barry  
    • Randall
    • Troy   
    • Ricky  
    • Carl   
    • Henry  
    • Douglas
    • Harold 
    • Peter  
    • Patrick
    • Walter 
    • Dennis 
    • Jerry  
    • Joshua 
    • Gregory
    • Raymond
    • Andrew
    • Stephen
    • Eric   
    • Scott  
    • Frank  
    • Jeffrey
    • Larry  
    • Jose   
    • Timothy
    • Gary   
    • Matthew
    • Jason  
    • Kevin  
    • Anthony
    • Ronald 
    • Brian  
    • Edward 
    • Steven 
    • Kenneth
    • George 
    • Donald 
    • Mark   
    • Paul   
    • Daniel 
    • Christopher
    • Thomas 
    • Joseph 
    • Charles
    • Richard
    • David  
    • William
    • Michael
    • Robert 
    • John   
    • James  

    The worm searches for email addresses on the local harddrive within file with these file extensions:

    • wab
    • xls
    • vbs
    • uin
    • txt
    • tbb
    • stm
    • sht
    • php
    • msg
    • mht
    • jsp
    • htm
    • eml
    • dht
    • dbx
    • cgi
    • cfg
    • asp

    The virus avoids emailing itself to target domains containing any of the following strings:

    • gold-certs 
    • feste  
    • submit 
    • help   
    • service
    • privacy
    • somebody
    • contact
    • site   
    • someone
    • anyone 
    • nothing
    • nobody 
    • noreply
    • noone  
    • webmaster  
    • news   
    • rating 
    • postmaster 
    • samples
    • info   
    • root   
    • www
    • upport 
    • abuse  
    • accoun 
    • certific   
    • listserv   
    • bsd
    • ntivi  
    • admin  
    • icq.com
    • mozilla
    • utgers.ed  
    • tanford.e  
    • pgp
    • acketst
    • secur  
    • isc.o  
    • isi.e
    • ripe.  
    • arin.  
    • sendmail   
    • rfc-ed 
    • ietf   
    • iana   
    • usenet 
    • fido   
    • kernel 
    • google 
    • ibm.com
    • fsf.   
    • gnu
    • mit.e  
    • math   
    • berkeley   
    • support
    • messagelabs
    • antivi 
    • kasp   
    • linux  
    • unix   
    • spam   
    • @iana  
    • @foo.  
    • .mil   
    • gov.   
    • .gov   
    • icrosoft   
    • ruslis 
    • nodomai
    • mydomai
    • example
    • inpris 
    • borlan 
    • sopho  
    • panda  
    • icrosof
    • syman  
    • avp.   
    • -._!   

    Subject:

    The subject can be empty or random, but can also be taken from a hardcoded list. For example, the subject may look like:

    • You win!   
    • thanks!
    • Thank you! 
    • read it immediately
    • Re: Your document  
    • Re: Status 
    • Re: Question   
    • Re: Proof of concept   
    • Re: Message
    • Re: Hi 
    • Re: Hello
    • Private document   
    • Notice again   
    • News   
    • my 
    • Information
    • important  
    • Hi!
    • hi 
    • here       
    • hello  


    Body:

    Like the subject, also the body can be empty or contain random chars, but can also contain strings from this hardcoded list:

    • screensaverlol!
    • fun photos 
    • New game   
    • relax  
    • Virus removal tool 
    • You are infected by virus.
    • Run this exe apply this patch!  
    • apply patch.   
    • game   
    • fun game!  
    • fun!   
    • lol!   
    • See the file.  
    • See attached file for details. 
    • Please read the important document.
    • Please read the attached file. 
    • Please confirm the document.   
    • I have attached document.  
    • Your requested mail has been attached. 
    • Your archive is attached.  
    • Waiting for a Response.
    • Please read the attachment. Thanks!
    • Please see the attached file for details   
    • Please read the document.  
    • Please read the attached file! 
    • Please confirm!
    • Please answer quickly!
    • Monthly news report.   
    • For more details see the attachment.   
    • For further details see the attachment.
    • Can you confirm it?

    Followed by one of these strings:

    • Norton AntiVirus - www.symantec.de 
    • F-Secure AntiVirus - www.f-secure.com  
    • Norman AntiVirus - www.norman.com  
    • Panda AntiVirus - www.pandasoftware.com
    • Kaspersky AntiVirus - www.kaspersky.com
    • MC-Afee AntiVirus - www.mcafee.com 
    • Bitdefender AntiVirus - www.bitdefender.com
    • MessageLabs AntiVirus - www.messagelabs.com

    Attachment:

    The worm attaches itself to the mails using one of the filenames it contains and combines it with one the following file extensions:

    • .EXE
    • .SCR

    The worm is also able to sent itself a ZIP attachment.

    Example:

    • info.zip
    • new.exe
    • pic.exe
    • lol.scr
    • photo.exe
    • new.zip
    • report.zip
    • antivirus.exe
    • message,.zip

    After execution, the worm copies itself to the \%windir%\system32 folder as windrv32.exe and created the following registry keys:

    •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\   CurrentVersion\Run "WinSPF" =
      C:\WINNT\System32\windrv32.exe

    Additional, it copies itself to

    • C:\Documents and Settings\(Current User)\Start Menu\Programs\Startup\autostart.exe

    It tries to download BackDoor-CEB.c from these sites:

    • http://www.llc.unibo.it/
    • http://www.surrenderzeeland.nl/
    • http://www.mercyships.de/
    • http://www.hiw.kuleuven.ac.be/
    • http://www.ach.ch/
    • http://vugs.geog.uu.nl/
    • http://www.planetboredom.net/
    • http://guttorm.hveem.no/
       

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    But in some particular cases, the following steps need to be taken.

    Please go to the Microsoft Recovery Console and restore a clean MBR.

    On Windows XP:

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password.
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    • Insert the Windows CD into the CD-ROM drive and restart the computer.
    • Click on "Repair Your Computer".
    • When the System Recovery Options dialog comes up, choose the Command Prompt.
    • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.
       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95