Virus Profile: W32/Mydoom.ap@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/15/2005
Date Added: 1/15/2005
Origin: Unknown
Length: 31,744 bytes
Type: Virus
Subtype: E-mail
DAT Required: 4417
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Upon executing the virus, Notepad is opened, filled with nonsense characters.

  • Existence of the files and registry entry listed above

Methods of Infection

This worm tries to spread via email and by copying itself to P2P shared folders if they are present.

The worm attempts to terminate running processes containing the following text:

  • Penis32.exe
  • W32.Blaster.B
  • teekids.exe
  • W32.Blaster.C
  • Microsoft Inet Xp
  • MSBLAST.exe
  • W32.Blaster
  • windows auto update
  • mscvb32.exe
  • Sobig.c
  • System MScvb
  • Bagle.v
  • sysinfo.exe
  • PandaAVEngine.exe
  • Netsky.r
  • PandaAVEngine
  • taskmon.exe

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • mx.
  • mail.
  • smtp.
  • mx1.
  • mxs.
  • mail1.
  • relay.
  • ns.

Aliases

W32/MyDoom-AA (Sophos)
   

Virus Characteristics

This threat is proactively detected as W32/Mydoom.gen@MM with released DAT files.

This is a mass-mailing and peer-to-peer file-sharing worm.  The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Do not reply to this email
  • HELLO
  • Server Report
  • Good Day
  • Attention!!!
  • ERROR
  • Mail Transaction Failed
  • (random characters)

Body:  (Varies, such as) 

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.
  • (Random gibberish)
  • New terms and conditions for credit card holders

    Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.

    Thank you,
    The World Bank Group
    © 2004 The World Bank Group, All Rights Reserved
  • Attention! New self-spreading virus!

    Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
    To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.

    © 2004 Networks Associates Technology, Inc. All Rights Reserved
  • Attention! Your IP was logged by The Internet Fraud Complaint Center
    Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI.
    All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.

    This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center

  • Thank you for registering at WORLDXXXPASS.COM
    All your payment info, login and password you can find in the attachment file.

    It's a real good choise to go to WORLDXXXPASS.COM

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (31kb)

  • examples (common names, but can be random)
  • doc.bat
  • document.zip
  • message.zip
  • readme.zip
  • text.pif
  • hello.cmd
  • body.scr
  • test.htm.pif
  • data.txt.exe
  • file.scr

In the case of two file extensions, multiple spaces may be inserted as well, for example:

  • document.htm  (many spaces)  .pif

The icon used by the file tries to make it appear as if the attachment is a text file:

When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as lsasrv.exe

  •  %SysDir%\lsasrv.exe

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It creates the following registry entries to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "lsass" = %SysDir%\lsasrv.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = explorer.exe %SysDir%\lsasrv.exe

The worm blocks access to security websites and updates, but modifying the Windows HOSTS file (infected hosts files are proactively detected as QHost.apd trojan with released DAT files).

The worm attempts to contact remote sites to retrieve instructions, and also creates the following data files locally:

  • c:\WINDOWS\system32\hserv.sys (encrypted data)
  • c:\WINDOWS\system32\version.ini (version text)
  • c:\WINDOWS\Temp\Mes#wtelw  (this is simply a garbage text file that is displayed during execution)

Two remote sites contacted are as follows:

  • nermasteno.com
  • opsanted.com

Peer To Peer Propagation
The worm copies itself to the P2P Shared Directories (such as Limewire, and EDonkey), such as:

  • porno.pif
  • winamp5.scr
  • adultpasswds.exe
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.
   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95