Win32.Mydoom.O

Discussion in 'NZ Computing' started by Patrick Dunford, Jul 27, 2004.

  1. http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39711

    When executed, Mydoom.O copies itself to %Windows%\java.exe

    It then sets the following registry entry to ensure that this copy is
    executed at each Windows startup:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaVM = "%Windows%
    \java.exe"

    Note: '%Windows%' is a variable location. The worm determines the
    location of the current Windows folder by querying the operating system.
    The default installation location for the Windows directory for Windows
    2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:
    \Windows.

    It also drops the file %Windows%\services.exe

    which registers itself to ensure it is executed at each Windows startup:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "%Windows%
    \services.exe"

    The worm also creates a mutex.
    The mutex's name generated by the worm consist of the name of the local
    machine appended by the word root and than the resulting whole word is
    appended to itself 2 times.
    The worm will ensure that the host name consist only of the small letters
    if there are exceptions present, like digits for instance, the worm will
    substitute them with the randomly selected small characters.

    The worm uses the mutex to ensure only one copy of the worm runs at a
    time.

    Return to top

    Method of Distribution
    Via E-mail
    The worm searches all fixed drives for e-mail addresses in files with
    these extensions:

    ..tx*
    ..wab*
    ..ph*
    ..pl*
    ..sht*
    ..dbx*
    ..asp*
    ..adb*
    ..tbb*
    ..ht*

    as well as using major search engines such as lycos, altavista, yahoo and
    google to collect e-mail addresses by querying for "contact", "reply" and
    "mailto" keywords.

    It ignores any address if the user name is any of the following:

    info
    noone
    nobody
    nothing
    anyone
    someone
    your
    you
    me
    rating
    site
    soft
    no
    foo
    help
    not
    feste
    ca
    gold-certs
    the.bat
    page

    or if the user name contains one of these sub-strings:

    support
    ntivi
    submit
    listserv
    bugs
    secur
    privacycertific
    accoun
    sample
    master
    abuse
    spam
    mailer-d

    or if the domain contains one of the following sub-strings:

    syma
    sarc.
    microsoft
    msdn.
    msn.
    hotmail
    panda
    spersk
    yahoo
    sophos
    example
    domain
    uslis
    update
    trend
    foo.com
    bar.
    secur
    seclist
    gmail
    gnu.
    google
    arin.
    ripe.
    sourceforge
    sf.net
    rarsoft
    winzip
    winrar

    The worm arrives attached to an e-mail with a variable Subject and
    Message Body. The attachment also uses variable names and file
    extensions.

    The Subject line may be randomly generated, or one of the following:

    hello
    hi
    error
    status
    test
    report
    delivery failed
    Message could not be delivered
    Mail System Error - Returned Mail
    Delivery reports about your e-mail
    Returned mail: see transcript for details
    Returned mail: Data format error

    The message body may be randomly generated or one of the following:

    [The or Your] [message or Message] could not be delivered.

    ----------

    The original message was included as attachment

    ----------

    The original message was received at [(time) or (blank)]
    from (sender domain)(random IP address)

    ----- The following addresses had permanent fatal errors -----
    (recepient address)

    ----- Transcript of [the or (blank)] session follows -----
    .... while talking to [[host or mail or (blank)] server] [(recepient
    domain). or (random IP address)]:

    followed by one or several of the following:

    >>> MAIL [From or FROM]:(sender domain)

    --
    <<<50(random digit) [(sender domain...) or (blank)][Refused or [Access
    [denied or Denied]]]
    --
    [User or Domain or Address] [unknown or blacklisted]
    --
    554 <(recepient domain)>... [Mail quota exceeded or Message is too large]
    --
    554 <(recepient domain)>... Service unavailable
    --
    550 5.1.2 <(recepient domain)>... Host unknown (Name server: host not
    found)
    --
    554 [5.0.0 or (blank)]Service unavailable; [(random IP address)] blocked
    using [relays.osirusoft.com or bl.spamcop.net]
    [, reason: Blocked or (blank)]
    --
    Session aborted[, reason: lost connection or (blank)]
    --
    >>> RCPT To:<(recepient address)>

    --
    <<<550 [MAILBOX NOT FOUND or 5.1.1 <(recepient address)>... [User unknown
    or Invalid recipient or Not known here or (blank)]
    --
    >>> DATA or

    --
    <<<400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
    --
    <<<400-aturner; -RMS-E-CRE, ACP file create failed
    --
    <<<400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
    --
    <<<400
    --
    (blank)

    ----------

    Dear user [(recipient domain) or of (recipient domain)], [[Mail or mail]
    [system or server] [administrator or administration] of (recipient
    domain) would like to [inform you that[: or ,]] or let you know [that or
    the following][. or : or ,] or (blank)]

    We have [detected or found or received] reports that [your or Your] [e-
    mail or email] account [has been or was] used to send a [large or huge]
    amount of [[unsolicited [ commercial or (blank)] or junk] [e-mail or
    email or spam][ messages or (blank)] [during this or the [last or
    recent]] week.
    [We suspect that or Probably, or Most likely or Obviously,] your computer
    [had been or was] [compromised or infected [ by a recent virus or
    (blank)] and now [runs or contains] a [trojan or trojaned or (blank) or
    hidden] proxy server.
    [Please or We recommend [that you or you to]] follow [our or the or
    (blank)]instructions or instruction] [in the [attachment or attached
    [text or file] or (blank)] in order to keep your computer safe.

    [[Virtually or Sincerely] yours or Best [wishes or regards or Have a nice
    day], [(recipient domain) [user or technical or (blank)] support team. or
    The (recipient domain) [support or (blank)] team.

    For example one of the possible combinations might result in the
    following message body:

    Dear user of (recipient domain),

    We have found that your email account was used to send a huge amount of
    spam messages during this week.
    We suspect that your computer had been infected and now contains a hidden
    proxy server.

    We recommend you to follow instruction in order to keep your computer
    safe.

    Best wishes,
    The (recipient domain) support team.

    ----------

    [The or This or Your] message was[ undeliverable or not delivered] due to
    the following [reasons or reason]:

    Your message [was not or could not be] delivered because the destination
    [computer or server] was
    [not or un]reachable within the allowed queue period. The amount of time
    a message is queued before it is returned depends on local configura-
    tion parameters.

    Most likely there is a network problem that prevented delivery, but
    it is also possible that the computer is turned off, or does not
    have a mail system running right now.

    Your message [was not or could not be] delivered within (a random digit)
    days:
    [[Mail [server or Server]] or Host] (random IP)) is not responding.

    The following recipients [did or could] not receive this message:
    <(recepient address)>

    Please reply to postmaster@[(sender domain) or (recepient domain)]
    if you feel this message to be in error.

    ----------

    The Attachment file name may be randomly generated, or one of the
    following:

    readme
    instruction
    transcript
    mail
    letter
    file
    text
    attachment
    document
    message

    with one of these extensions:

    cmd
    bat
    com
    exe
    pif
    scr

    The attachment name may also be the e-mail address of the recipient.

    The attachment could also be in a ZIP archive, and can have a "double
    extension", with "doc", "txt", "htm" or "html" followed by many spaces,
    then the real extension.

    Limited Backdoor Functionality

    Mydoom.O creates a backdoor, listening on TCP port 1034.
    Closes Windows

    The worm attempts to close windows with these names:

    rctrl_renwnd32
    ATH_Note
    IEFrame
    Patrick Dunford, Jul 27, 2004
    #1
    1. Advertising

  2. Dave - Dave.net.nz, Jul 27, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Larry Samuels

    Updated Security alert!! W32/Mydoom@MM

    Larry Samuels, Jan 29, 2004, in forum: Microsoft Certification
    Replies:
    1
    Views:
    493
    Consultant
    Jan 29, 2004
  2. Jim Saunders

    MyDoom Tutorial Comments

    Jim Saunders, Feb 11, 2004, in forum: Cisco
    Replies:
    1
    Views:
    1,060
    Francois Labreque
    Feb 11, 2004
  3. Larry Samuels

    Updated Security alert!! W32/Mydoom@MM

    Larry Samuels, Jan 29, 2004, in forum: MCSE
    Replies:
    10
    Views:
    770
    The Poster Formerly Known as Kline Sphere
    Jan 29, 2004
  4. D@Z
    Replies:
    5
    Views:
    792
    Liza Smorgaborgsson
    Jan 30, 2006
  5. jamesa01
    Replies:
    2
    Views:
    476
    Steve
    Feb 27, 2006
Loading...

Share This Page