Virus Profile: W32/Mydoom.ae@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/17/2004
Date Added: 10/18/2004
Origin: Unknown
Length: 51,712 bytes
Type: Virus
Subtype: E-mail
DAT Required: 4400
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Upon executing the virus, Notepad is opened, filled with nonsense characters
  • Existence of the files and registry entry listed above

  • The HOSTS file is appended to redirect traffic to the following sites:
    • www.trendmicro.com
    • trendmicro.com
    • rads.mcafee.com
    • customer.symantec.com
    • liveupdate.symantec.com
    • us.mcafee.com
    • updates.symantec.com
    • update.symantec.com
    • www.nai.com
    • nai.com
    • secure.nai.com
    • dispatch.mcafee.com
    • download.mcafee.com
    • www.my-etrust.com
    • my-etrust.com
    • mast.mcafee.com
    • ca.com
    • www.ca.com
    • networkassociates.com
    • www.networkassociates.com
    • avp.com
    • www.kaspersky.com
    • www.avp.com
    • kaspersky.com
    • www.f-secure.com
    • f-secure.com
    • viruslist.com
    • www.viruslist.com
    • liveupdate.symantecliveupdate.com
    • mcafee.com
    • www.mcafee.com
    • sophos.com
    • www.sophos.com
    • symantec.com
    • securityresponse.symantec.com
    • www.symantec.com
    • www.pandasoftware.com

Methods of Infection

This worm tries to spread via email using its own SMTP engine

The worm avoids certain address, those using the following strings:

  • google
  • certific
  • listserv
  • ntivi
  • support
  • icrosoft
  • admin
  • page
  • the.bat
  • gold-certs
  • feste
  • submit
  • help
  • service
  • privacy
  • somebody
  • soft
  • contact
  • site
  • rating
  • bugs
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • webmaster
  • postmaster
  • samples
  • info
  • root
  • be_loyal:
  • mozilla
  • utgers.ed
  • tanford.e
  • acketst
  • isc.o
  • isi.e
  • ripe.
  • arin.
  • sendmail
  • rfc-ed
  • ietf
  • iana
  • usenet
  • fido
  • linux
  • ernel
  • ibm.com
  • fsf.
  • mit.e
  • math
  • unix
  • berkeley
  • foo.
  • .mil
  • gov.
  • .gov
  • ruslis
  • nodomai
  • mydomai
  • example
  • inpris
  • borlan
  • sopho
  • panda
  • icrosof
  • syma
  • .edu
  • -._!
  • -._!@
  • abuse
  • secur
  • spam
   

Virus Characteristics

This is a mass-mailing worm that bears the following characteristics:
  • contains its own SMTP engine to construct outgoing messages
  • contains a backdoor component (see below)
  • Modifies the HOSTS file
  • Downloads W32/Scran.worm (P2P worm)

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Fw:Information
  • read now!
  • Fw:Warning
  • Re:Warning
  • Warning
  • Fw:Notification
  • Re:Notification
  • Notification
  • Fw:Document
  • Re:Document
  • Document
  • Fw:Important
  • Re:Important
  • Important
  • Re:Information
  • Information
  • Re:Details
  • Details
  • Announcement

Body:  (Varies, such as)  

  • Daily Report.
  • your document.
  • here is the document.
  • Reply
  • Important Information.
  • Kill the writer of this document!
  • Details are in the attached document.
  • See the attached file for details
  • Please see the attached file for details
  • Check the attached document.
  • Monthly news report.
  • Please confirm!.
  • Please read the attached file!.
  • Please see the attached file for details.
  • Waiting for a Response. Please read the attachment.
  • Please answer quickly!.

Attachment:   (often arrives in a ZIP archive )

  • attachment.doc
  • notes.doc
  • notedoc
  • text.doc
  • data.doc
  • list.doc
  • archive.doc
  • error.doc
  • check.doc
  • file.doc
  • message.doc
  • letter.doc
  • information.doc
  • msg.doc
  • news.doc
  • report.doc
  • document.doc                   

In the case of two file extensions, multiple spaces may be inserted as well, for example:

  • %filename.doc%   (many spaces)  %2ndExt%

The 2nd extension can be any one of the following:

  • .cpl
  • .scr
  • .pif

Target mail addresses are gathered from files with the following file extensions:

  • wab
  • pl
  • adbh
  • tbbg
  • dbxn
  • aspd
  • phpq
  • sht
  • vbs
  • cfg
  • eml
  • cgi
  • wsh
  • msg
  • uin
  • xls
  • jsp
  • xml
  • mdx
  • mbx
  • html
  • htmb
  • txt

When this file is run (manually), it copies itself to the Windows System directory as AVPR.EXE.

  • %SysDir% \AVPR.EXE


(Where
%Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)


It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "Avpr" = %SysDir% \AVPR.EXE

The virus uses a DLL that it creates in the Windows System directory:

  •  %SysDir% \TCP5424.dll (5,632 bytes)

This DLL is injected into EXPLORER.EXE upon reboot via these registry keys:

  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir% \TCP5424.dll

Peer To Peer Propagation
The worm attempts to download and execute a file SCRAN.JPG from a remote site. This remote file is renamed to SCRAN.EXE and copied to C: This file carries a P2P worm and is detected as W32/Scran.worm with the 4400 dats.

Remote Access Component
The DLL component acts as a Backdoor which opens a connection on TCP port 5424.

   
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95