Virus Profile: W32/Mydoom.y@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 9/15/2004
Date Added: 9/15/2004
Origin: Unknown
Length: 88,640 bytes
Type: Virus
Subtype: Email
DAT Required: 4391
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existance of files and registry keys as mentioned above.
  • Network traffic outgoing to port 25
  • The virus contains a payload to initiate a denial of service attack against www.symantec.com
  • Methods of Infection

    This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files as mentioned above.

    Aliases

    I-Worm.Mydoom.x (AVP), W32.Mydoom.W@mm (Symantec), W32/MyDoom-X (Sophos), W32/Mydoom.Y.worm (Panda), Win32.Mydoom.Z (CA), WORM_MYDOOM.X (Trend)
       

    Virus Characteristics

    -- Update September 15th, 2004 --
    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    https://news.zdnet.co.uk/communications/networks/0,39020345,39166546,00.htm

    --

    This Mydoom variant is packed with FSG, and bears the following characteristics:

    • contains its own SMTP engine for constructing messages
    • harvests target email addresses from the victim machine
    • forges the From: header of outgoing messages
    • drops a downloader trojan and a keylogger trojan
    • downloads BackDoor-CEB.d over HTTP

    Details

    From: (spoofed From: header)
    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    The from address is either one of the harvested addresses or constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

    The common names used are as follows:

    • Tom
    • Marcus
    • Troy
    • Walter
    • Eric
    • Matthew
    • Kenneth
    • Charles
    • Tommy
    • Jim
    • Francisco
    • Ricky
    • Dennis
    • Scott
    • Jason
    • George
    • Richard
    • Lloyd
    • Jay
    • Leroy
    • Carl
    • Jerry
    • Frank
    • Kevin
    • Donald
    • David
    • Bill
    • Oscar
    • Mario
    • Henry
    • Joshua
    • Jeffrey
    • Anthony
    • Mark
    • William
    • Ronnie
    • Miguel
    • Bernard
    • Douglas
    • Gregory
    • Larry
    • Ronald
    • Paul
    • Michael
    • Jon
    • Clifford
    • Alexander
    • Harold
    • Raymond
    • Jose
    • Brian
    • Daniel
    • Robert
    • Alex
    • Theodore
    • Barry
    • Peter
    • Andrew
    • Timothy
    • Edward
    • Thomas
    • John
    • Calvin
    • Micheal
    • Randall
    • Patrick
    • Stephen
    • Gary
    • Steven
    • Joseph
    • James

    The worm searches for email addresses on the local harddrive within file with these file extensions:

    • txt
    • htm
    • html
    • mbx
    • mdx
    • xml
    • jsp
    • xls
    • uin
    • msg
    • wsh
    • cgi
    • eml
    • cfg
    • vbs
    • sht
    • php
    • asp
    • dbx
    • tbb
    • adb
    • pl
    • wab


    The virus avoids emailing itself to target domains containing any of the following strings:

    • icrosof
    • panda
    • sopho
    • borlan
    • inpris
    • example
    • mydomai
    • nodomai
    • ruslis
    • .gov
    • gov.
    • .mil
    • foo.
    • unix
    • math
    • bsd
    • mit.e
    • gnu
    • fsf.
    • ibm.com
    • kernel
    • linux
    • fido
    • usenet
    • iana
    • ietf
    • rfc-ed
    • sendmail
    • arin.
    • ripe.
    • isi.e
    • isc.o
    • acketst
    • pgp
    • tanford.e
    • utgers.ed
    • root
    • info
    • samples
    • postmaster
    • webmaster
    • noone
    • nobody
    • nothing
    • anyone
    • someone
    • your
    • you
    • me
    • bugs
    • rating
    • site
    • contact
    • soft
    • no
    • somebody
    • privacy
    • service
    • help
    • notsubmit
    • feste
    • ca
    • gold-certs
    • the.bat
    • page
    • admin
    • microsoft
    • support
    • ntivi
    • unix
    • bsd
    • linux
    • listserv
    • certific
    • google
    • accounts
    • pmf
    • cnz
    • www
    • secur
    • abuse

    Subject:

    The subject can be empty or random, but can also be taken from a hardcoded list. For example, the subject may look like:

    • Monthly news report.
    • Virus removal tool
    • apply this patch!
    • fun game!
    • lol!
    • fun!
    • See the file.
    • screensaverlol!
    • Your archive is attached.
    • check!
    • Error

    Body:

    Like the subject, also the body can be empty or contain random chars, but can also contain strings from this hardcoded list:

    • test
    • Please read the important document.
    • I have attached document.
    • Waiting for a Response. Please read the attachment.
    • Thanks!
    • Please see the attached file for details
    • Please read the attached file!
    • Please confirm!
    • Please answer quickly!
    • For more details see the attachment.
    • For further details see the attachment.

    Followed by one of these strings:

    • Hello Check the attachment.
    • Here is the attachment.
    • :-)
    • Here is my photo.:-)

    Followed by one of these strings:

    • +++ Attachment: No Virus found
    • +++ Attachment: No Infection found

    Followed by one of these strings:

    Attachment:

    The worm attaches itself to messagess using different filenames.  Users must manually run the attachment to become infected.

    After execution, the worm copies itself to the \%windir%\system32 folder as oz11111.exe  and created the following registry keys:

    •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\   CurrentVersion\Run "www.symantec.com" =
      C:\WINNT\System32\oz11111.exe

    Additional files are dropped:

    • c:\WINDOWS\oz2.exe - copy of the worm
    • c:\WINDOWS\system32\About_Mydoom.txt - text file with author notes
    • c:\WINDOWS\system32\Doompic.jpg - image of boy
    • c:\WINDOWS\system32\Downxz.bat - Downloader-PP trojan downloads BackDoor-CEB.d
    • c:\WINDOWS\system32\log32zx.exe - Keylog-YKL trojan
    • c:\WINDOWS\Temp\services.exe - W32/Mydoom.o@MM virus

    Additional registry keys creates are:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Run "Downxz" = C:\WINDOWS\System32\Downxz.bat
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Run "Microsoft Windows updaterD" = C:\WINDOWS\System32\log32zx.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Run "oz2" = C:\WINDOWS\oz2.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Run "Services" = C:\WINDOWS\TEMP\services.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Daemon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Explorer\ComDlg32\Version
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Explorer\ComDlg32\Version
       

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    But in some particular cases, the following steps need to be taken.

    Please go to the Microsoft Recovery Console and restore a clean MBR.

    On Windows XP:

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password.
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    • Insert the Windows CD into the CD-ROM drive and restart the computer.
    • Click on "Repair Your Computer".
    • When the System Recovery Options dialog comes up, choose the Command Prompt.
    • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.
       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95