FRISK Software International


Summary of W32/Mydoom.A@mm
Alias:W32.Novarg.A@mm, WORM_MIMAIL.R
Length: 22.528 bytes
Discovered: 26 Jan 2004
Definition files: 26 Jan 2004
Risk Level: High
Distribution:High
Infection Method:Infected e-mail attachments, P2P file sharing
Payload: Mass-mailing functionality, denial of service, system security compromise
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

W32/Mydoom.A@mm spreads via e-mail messages with technically sounding subject lines. The attachment containing the worm's executable also bears technical and harmless-sounding names. However, if such an attachment is executed, the worm infects the computer, harvests e-mail addresses from the hard drive and then spreads itself further by sending itself to these addresses. Mydoom.A also falsifies the From address by substituting it with another harvested address chosen at random. The worm also opens up ports on an infected computer, thereby creating a backdoor allowing for the possibility of hackers being able to gain remote control. W32/Mydoom.A@mm also spreads via the Kazaa file-sharing network.

W32/Mydoom.A@mm is programmed to perform a Denial of Service attack on SCO's website, www.sco.com, on 1 February 2004. However, the worm is also designed to stop spreading eleven days later, on 12 Febuary 2004. It is considered a possibility that this planned attack on SCO is a result of the resentment toward the company by parts of the Linux community since the company's claims that key elements of the Linux open-source operating system are covered by SCO's UNIX copyrights.

W32/Mydoom.A@mm is also known as:

  • W32.Novarg.A@mm
  • WORM_MIMAIL.R
  • W32/Mydoom@mm
  • Mydoom
  • Win32/Shimg

W32/Mydoom.A@mm affects computers running Windows 95, 98, ME, NT, 2000 and XP.

E-mails carrying W32/Mydoom.A@mm will usually have one of the following subject lines:

     test
     hi
     hello
     Mail Delivery System
     Mail Transaction Failed
     Server Report
     Status
     Error

The body of these e-mails is usually one of the following:

     test

     The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

     The message contains Unicode characters and has been sent as a binary attachment.

     Mail transaction failed. Partial message is available

Attachments containing W32/Mydoom.A@mm bear one of the following names:

     document
     readme
     doc
     text
     file
     data
     test
     message
     body

with one of the following endings:

     .pif
     .scr
     .exe
     .cmd
     .bat
     .zip


Technical Description

The W32/Mydoom.A@mm is a mass-mailing worm with certain payloads. Written in C++, the worm is compressed with the UPX executable packer and is 22.528 bytes in size. The worm contains several encrypted strings that are decrypted as needed using the same decryption routine. On infection the worm executes notepad displaying a meaningless jumble of data.

The worm carries out a query for certain information, contained within the registry, regarding the 'explorer.exe' on the system. If that information is not accessible, the worm will create a mutex lock in memory with the identification 'SwebSipcSmtxS0'.

The worm places two files under the system directory when executed:

%system_dir%\shimgapi.dll
     -This file is the backdoor component of the W32/Mydoom.A@mm worm.

%system_dir%\taskmon.exe
     -This file is an exact copy of the worm.

The worm retrieves the system date, if the date has passed the 11th of february 2004, it exits at this point without any further action.

The worm searches the registry for the presence of 'Kazaa', a file-sharing program. If found, the worm places a copy of itself in the Kazaa 'Shared folder', with a name chosen randomly from the following list with an extension of '.bat', '.exe', '.scr', or '.pif':

icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
winamp5

The worm contains a routine intended to perform a DoS (Denial of Service) attack against the domain www.sco.com. The routine will start late on sunday the 1st of February. First the worm will determine whether an internet connection is present, if it is, the worm will set up 63 individual threads. Then, after a short waiting period, each of the threads will issue a 'GET /HTTP/1.1' request to the server address resolved for the domain name 'www.sco.com'.
To ensure that the worm is executed when Windows is started, the worm creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMon"="%system_directory%\taskmon.exe"

If this key is not successfully created, it tries to create a similar key under the current user ID in the registry:

[HKEY_CURRENT_USER\{User ID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMon"="%system_directory%\taskmon.exe"

Mass mailing

To gather e-mail addresses, the worm looks through each entry in the Windows Address Book (WAB), as well as searching fixed drives on the computer, for files with any one of the following extensions: .adb, .tbb, .dbx, .asp, .php, .sht, .htm., .wab, .pl and .txt
Each message is parsed by the worm. During this routine it performs several tests on the harvested e-mail addresses, such as a simple validation of the address, a comparison with several hardcoded names inside the worm's body. The outcome of these routines depends on whether or not the worm sends an infected message to that particular address.

The worm attempts to construct addresses for domains that he has already harvested valid e-mail addresses from. The worm contains a list of names, used for that purpose. The list is contained within the worms body, examples of these names are the following:
'john' 'john' 'alex' 'michael' 'james' 'mike' 'kevin' 'david' 'george' 'sam' 'andrew' 'jose' 'leo' 'maria' 'jim' 'brian' 'serg' 'mary' 'ray' 'tom' 'peter' 'robert' 'bob' 'jane' 'joe' 'dan' 'dave' 'matt' 'steve' 'smith' 'stan' 'bill' 'bob' 'jack' 'fred' 'ted' 'adam' 'brent' 'alice' 'anna' 'brenda' 'claudia' 'debby' 'helen' 'jerry' 'jimmy' 'julie' 'linda' 'sandra'.

The W32/Mydoom.A@mm, has a built-in routine to communicate with SMTP servers. By using this routine, the worm is able to forge the FROM: address, that appears to the end-user.
For the FROM: field, the worm usually uses an harvested e-mail address from the infected system, or it blends it with predefined names inside the worms body. The worm is also able to retrieve the addresses of remote SMTP servers through MX record queries.

The e-mails sent by W32/Mydoom.A@mm have the following signature:

The subject can be one of the following, note that these subjects can appear all in lowercase letters, all in uppercase or in a mixture of the two:

Error
Status
Test
Hi
Hello
Server Report
Mail Delivery System
Mail Transaction Failed


Attachments can have any one of the following names:
'document', 'body', 'message', readme', 'doc', 'text', 'file', 'data', 'test'.
The extensions can be any of the following: '.scr', '.zip', '.pif', '.exe', '.cmd', '.bat'.

The worm can at times send out infected e-mails that contain obscure subjects, this is due to an internal error. Those subjects might appear as a string of characters, such as 'jjuvabzujznniidx' or 'wgxtvooelr', the worm also sends out e-mails with a blank subject.

The message body can be one of the following:

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
test

Typical e-mail sent out by the W32/Mydoom.A@mm might look like the following:

[FROM:] 'Forged address'
[Subject:] 'Test'
[Body:] 'The message contains Unicode characters and has been sent as a binary attachment' [Attachment:] 'body.zip'


[FROM:] 'Forged address'
[Subject:] 'Server Report'
[Body:] 'test' [Attachment:] 'file.zip'

Backdoor

The W32/Mydoom.A@mm drops a file under the system directory of the infected system under the name of 'shimgapi.dll'. This file serves as a backdoor to the infected system. The actual backdoor is installed to the system by adding the value:
'%system directory%\shimgapi.dll' to the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

Using this method, the backdoor 'shimgapi.dll' is loaded into the address space of 'explorer.exe'. The backdoor itself does not appear as an individual process, instead it's running as a module inside explorer.exe. This backdoor will bind itself to a TCP socket, on the range of 3127 to 3198, using the first available port number.
This backdoor enables un-authorized persons to take a variety of actions remotely on the local system, such as file-upload, executing files on the local system etc.



Removal Instructions

Please follow the appropriate instructions for your system. Both the DOS scanner and the Command-line scanner are included in F-Prot Antivirus for Windows:

DOS Scanner:


For Windows 95/98/ME:

To boot into DOS press START \ SHUT DOWN \ RESTART IN MS-DOS MODE.

Windows ME users need to use a Windows startup disk.

In DOS mode at the command prompt type:

cd \        [ENTER]
cd progra~1        [ENTER]
cd fsi        [ENTER]
cd f-prot        [ENTER]
f-prot.exe        [ENTER]

We are assuming here that F-Prot Antivirus was installed in the default location. Set the scanner to "Automatic disinfection".



Command-line Scanner:


For Windows 2000/XP:

Click on START \ SHUT DOWN \ RESTART. As the computer is booting up press the F8 key and from the menu select:

"Safe mode with Command prompt"

At the command prompt type:

cd \       [ENTER]

cd "program files"       [ENTER]

cd fsi        [ENTER]

cd f-prot       [ENTER]

fpcmd c: /disinf /auto /list        [ENTER]

NB! Please note that the scanning must be done for each drive individually.

When the scanning is done and the system is clean, then restart the computer.



For Windows NT 4.0:

Restart the computer in SVGA mode (Safe Mode)

1. Click "Start" / "Run" / type "cmd"         [ENTER]

2. Command prompt window appears.

3. Press "Ctrl-Alt-Del" once and click on "Processes".

4. In "Processes" find "Explorer.exe" and select "End process". The Desktop will disappear and only the background/wallpaper and the command prompt window will be visible.

5. In the command prompt window type the following:



cd \       [ENTER]

cd "program files"       [ENTER]

cd fsi        [ENTER]

cd f-prot       [ENTER]

fpcmd c: /disinf /auto /list       [ENTER]

NB! Please note that the scanning must be done for each drive individually.

When the scanning is done and the system is clean, then restart the computer.




Technical description: Sindri Bjarnason - Virus researcher FRISK Software Int.
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is