W32/Mydoom.BJ@mm is a mass mailing worm. It spreads by mass-mailing itself to e-mail addresses harvested from the local computer.
On infection the worm executes Windows Notepad displaying a meaningless jumble of data.
It drops 2 files on the infected computer:
%systemroot%\System32\svch0st.exe
%systemroot%\System32\wxapi.dll
detected as W32/Banker.ACW and W32/Backdoor.AZI respectevely. The backdoor listens on port 5204.
W32/Mydoom.BJ@mm copies itself to:
%systemroot%\System32\WINLOG0N.EXE
It creates keys under:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Systems = %systemroot%\System32\svch0st.exe
WINLOG0N = %systemroot%\System32\WINLOG0N.EXE
to ensure that each time the computer is restarted, W32/Mydoom.BJ@mm and W32/Backdoor.AZI are executed.
It modifies the following key:
Old value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
%systemroot%\System32\webcheck.dll
New value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
%systemroot%\System32\wxapi.dll
which effectively registers wxapi.dll (W32/Backdoor.AZI) as a shell extension, which allows it to run in Windows Explorer's address space.
Other registry keys created:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
[HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
[HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version\Version]
Note:
%systemroot% will translate to the Windows directory (e.g.: C:\winnt for WinNT/Windows 2000, C:\Windows for WinXP). | 