This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
- Existence of the files and Registry keys detailed here.
- Copies of the worm with the enticing filenames used for P2P propagation.
- Local HOSTS file overwritten as detailed here.
- When run, a garbage text file is opened and displayed in Notepad
- the worm will remove Registry key data for other worms from the Registry
Methods of Infection
The worm installs itself into the Windows system directory as LSASRV.EXE, for example:
The following Registry key is added to hook system startup:
Run "lsass" = %SysDir%\LSASRV.EXE
Additionally, the following value:
- "Shell" = "explorer.exe %SysDir%\LSASRV.EXE"
is added to the following key:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
The mail propagation of this variant is very similar to previous Mydoom variants:
- email addresses are harvested from the victim machine
- From: address is spoofed using forenames and domains carried in the worm's body
- email addresses containing certain strings are excluded from the mailing
- the worm attaches itself to outgoing mails with one of the following filenames:
- the attachment will have one of the following extensions:
Overwriting local HOSTS file
The local hosts file is modified such that connection to the a number of domains for the updating of various anti-virus products is redirected to localhost (127.0.0.1).
Email-Worm.Win32.Mydoom.ag (AVP), W32.Mydoom.AM@mm (Symantec), W32/MyDoom-AM (Sophos), W32/Mydoom.AN@mm (Frisk), WORM_MYDOOM.AM (Trend)