Virus Profile: W32/Mydoom.o@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 7/26/2004
Date Added: 7/26/2004
Origin: Unknown
Length: approx 28kB (EXE, ZIP)
8,192 bytes (dropped EXE)
Type: Virus
Subtype: E-mail
DAT Required: 4381
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

  • C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

  • C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Run "JavaVM" = %WinDir%\JAVA.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

  •  HKEY_CURRENT_USER\Software\Microsoft\Daemon
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

TCP Port 1034 is opened on the victim machine by the SERVICES.EXE process and listens for incoming connections. This process also sends TCP network traffice from a highport of the infected machine, to randomly generated IP addresses on destination Port 1034.  When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

Methods of Infection

This worm propagates via email constructing messages using its own SMTP engine. Email addresses are harvested from the victim machine, and the From: address of outgoing messages is spoofed.

Aliases

W32.Mydoom.M@mm (Symantec), W32/MyDoom-O (Sophos), WORM_MYDOOM.M (Trend)
   

Virus Characteristics

-- Update 8th November --
The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
--

-- Update 30th July --
The risk assessment of this threat has been lowered to Medium due to decreased prevalence.
--

-- Update 26th July 03:21 PDT --
This variant of Mydoom is known to send non-viral attachments, typically .bat, .cmd, .com, .exe, .pif or .scr files within a zip archive, within another zip archive.  These files are approximately 1-2kb in size and are not infectious.  They are encrypted log files created by the backdoor component of the worm.
--

-- Update 26th July 08:12 PDT --
The risk assessment of this threat has been raised to Medium on Watch due to increased prevalence.
--

If you think that you may be infected with Mydoom, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This new variant of W32/Mydoom is packed with UPX. Similarly to previous variants, it bears the following characteristics:

  • mass-mailing worm constructing messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address
  • contains a peer to peer propagation routine

Mail Propagation

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:

  • mailer-daemon@(target_domain)
  • noreply@(target_domain)
The following display names are used in this case:

  • "Automatic Email Delivery Software"
  • "Bounced mail"
  • "MAILER-DAEMON"
  • "Mail Administrator"
  • "Mail Delivery Subsystem"
  • "Post Office"
  • "Returned mail"
  • "The Post Office"

Subject:
The following subjects are used:

  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error

Body:
The virus constructs messages from pools of strings it carries in its body. For example:

Attachment:
The attachment may be an EXE file with one of the following extensions:

  • EXE
  • COM
  • SCR
  • PIF
  • BAT
  • CMD

It may also be a copy of the worm within a ZIP file (may be doubly ZIPped). In this case the extension is:

  • ZIP

The attachment may use the target email address name as the filename, in addition to the following:

  • README
  • INSTRUCTION
  • TRANSCRIPT
  • MAIL
  • LETTER
  • FILE
  • TEXT
  • ATTACHMENT
  • DOCUMENT
  • MESSAGE

The attachment may use a double extension, and there may be multiple spaces inserted between the file extensions to deceive users.

Email Address Harvesting
Email addresses are harvested from the following file types on the victim machine:

  • DOC
  • TXT
  • HTM
  • HTML

The virus queries four search engines to harvest addresses from the results returned from such queries :

  • https://search.lycos.com
  • https://www.altavista.com
  • https://search.yahoo.com
  • https://www.google.com

The virus will also harvest email addresses from any Outlook window that is active on the victim machine.

Email Exclusions
The virus avoids emailing itself to target domains containing any of the following strings:

  • spam
  • abuse
  • master
  • sample
  • accoun
  • privacycertific
  • bugs
  • listserv
  • submit
  • ntivi
  • support
  • admin
  • page
  • the.bat
  • gold-certs
  • ca
  • feste
  • not
  • help
  • foo
  • no
  • soft
  • site
  • me
  • you
  • rating
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • info
  • info
  • winrar
  • winzip
  • rarsoft
  • sf.net
  • sourceforge
  • ripe.
  • arin.
  • google
  • gnu.
  • gmail
  • seclist
  • secur
  • bar.
  • foo.com
  • trend
  • update
  • uslis
  • domain
  • example
  • sophos
  • yahoo
  • spersk
  • panda
  • hotmail
  • msn.
  • msdn.
  • microsoft
  • sarc.
  • syma
  • avp

Peer to Peer Propagation

The virus is intended to copy itself to folders containing the following strings:

  • USERPROFILE
  • yahoo.com
   

All Users :
Use current
engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
Stinger has been updated to include detection and removal of this threat. Download Stinger .

McAfee System Compliance Profiler
Create a rule that matches a file
 - Choose WINDOWS_DIR from the drop-down
 - Type in JAVA.EXE for the file name
 - Choose "File does not exist" in the next drop-down

Create a rule that matches a file
 - Choose WINDOWS_DIR from the drop-down
 - Type in SERVICES.EXE for the file name
 - Choose "File does not exist" in the next drop-down

McAfee Desktop Firewall
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port 1034

McAfee Threatscan
ThreatScan signatures that can detect the W32/Mydoom.o virus are available from:

        - Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
        - Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-07-26

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

       - Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
 -or-
       - Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

       - Run the "ThreatScan Template Report"
       - Look for module number #4081

Network General Sniffer
A Network General Sniffer filter is available at https://www.networkgeneral.com/SnifferFilters_Details.aspx?Type=1

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95