Virus Profile: W32/Mydoom.bm@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/1/2005
Date Added: 4/1/2005
Origin: Unknown
Length: N/A
Type: Virus
Subtype: Internet Worm
DAT Required: 4460
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Presence of the above mentions files and registry keys
  • TCP port 5204 listening on an infected machine
  • Unexpected outgoing traffic on TCP port 25

Methods of Infection

The following files types are read by the worm in order to harvest email addresses from an infected system:
.adb
.asp
.dbx
.htm
.php
.sht
.tbb
.txt
.wab

Mailbody:
Constructs an email message with the following characteristics:

From: (Any of the following)
adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

Subject:
(Any of the following)

Do love
do love photo
Do you love me?
Honey,our do love
I love you more than the stars above.
my photo
please give me a kiss
What doy you feel like doing tonight honey?

Message body:  (Any of the following)

Give more photo of my.
I love you more than the stars above.
If I marry you,there are going to be some ground rules.
Sweetheart, i love you more than i can say!

Attachment: (Any of the following)
dolove
photo
youbody
youdata
youdoc
youfile
youmessage
youtest
youtext

With any of the following extensions:
.exe
.htm
.pif
.scr
.txt
.zip

The worm does not send itself to addresses which contain any of the following strings:
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
be_loyal:
borlan
bsd
bugs
certific
contact
example
fcnz
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
mit.e
mozilla
msn.
mydomai
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your

Aliases

Email-Worm.Win32.Mydoom.gen (Kaspersky), W32.Mydoom.BI@mm (Symantec), W32/Mydoom.BO.worm (Panda), Win32/Mydoom.BM (CA), WORM_MYDOOM.AI (Trend)
   

Virus Characteristics

W32/Mydoom.bm@MM is a mass mailing worm that uses its own SMTP engine to propagate. It also spreads via Peer-to-Peer network shares. W32/Mydoom.bm@MM opens a proxy, logs keystrokes and steals passwords from infected machines.

Upon execution, it opens notepad.exe and displays the following message:

Creates a copy of itself into the windows system directory as:

%WINDIR%\%SYSDIR%\WINLOG0N.EXE

Additionally drops the following files to aid in its proxy and password stealing routine:

%WINDIR%\%SYSDIR%\wxapi.dll (detected as Proxy-Prodoom)
%WINDIR%\%SYSDIR%\svch0st.exe (detected as PWS-Banker.p)

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WINLOG0N" = "%WINDIR%\%SYSDIR%\WINLOG0N.EXE"
"Systems" = "%WINDIR%\%SYSDIR%\svch0st.exe"

Adds the following registry values to register the proxy component:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
"(Default)" = "%WINDIR%\%SYSDIR%\wxapi.dll"

Queries the following registry value and copies itself to Kazaa's peer-to-peer file sharing folder:

HKEY_LOCAL_MACHINE\Software\Kazaa\Transfer

using the following file names:
QQ2005
office_sn
do_love_photo
strip-girlsex_movies
gril_photo
MSN2005-final
winamp6

With any of the following file extensions:
.bat
.cmd
.exe
.pif
.scr

W32/Mydoom.bm@MM opens a proxy on TCP port 5204 using "wxapi.dll".

"svch0st.exe" logs the keystrokes and monitors visited urls for certain bank sites.

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95