FRISK Software International


Summary of W32/Mydoom.DD@mm
Discovered: 22 Mar 2006
Definition files: 22 Mar 2006
Risk Level: Medium
Distribution:Low
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Mydoom.DD@mm is a mass-mailing worm. It harvests e-mail addresses from files and sends itself as an attachment to those addresses. It has it's own SMTP engine and tries also to spread through Kazaa. It uses rootkit methods to hide itself.


Technical Description
Filesystem

When first run, the worm copies itself to %WINDIR%\system32\wmedia16.exe and executes it before terminating itself.

It harvests e-mail addresses on all available hard drives, in all files having one of the following extensions:

txt
htm
sht
php
asp
dbx
tbb
adb
wab

If it finds Kazaa shared folder it copies it self there under one of the following names:

winamp5
icq5
xp_activation
strip-girl4.0c
dcom_patches
lsas_patches
msblast_patches
skype_video
0day_patch
office_crack
trillian_crack_all


Registry

Adds the value:

"WMedia16"="wmedia16.exe"

To the keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

To make sure it's run at Windows startup.

Queries the key:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts]

in an attempt to locate a mail server.

Queries the key:

[HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name]

to try to find the user's addressbook.

Queries the key:

[HKEY_CURRENT_USER\Software\Kazaa\Transfer\Dldir0]

to try to locate Kazaa shared folder.


Mail routine

The worm sends itself as an attachment to an e-mail with the following characteristics:

The worm may spoof the from address.

Attached is a file named %name%.zip containing the file %name%.%dbl_ext%. Where %name% is one the following:

body
i_love_u
i_luv_u
conf_data
port_imgs
sex_pics
doc
sex_girls
document

and %dbl_ext% is one of the following extensions:

tmp
doc
htm
txt

followed by lots of blank spaces then followed by one of the following:

.bat
.cmd
.exe
.pif
.scr

The worm avoids sending itself to e-mail addresses containing any of the following substrings in the name field:

alert
page
the.bat
fethard
gold-certs
feste
submit
not
help
service
privacy
somebody
soft
contact
site
rating
bugs
you
your
someone
AccountRobot
anyone
nothing
nobody
noone
webmaster
webmoney
postmaster
samples
info
root
fraud
accoun
google
certific
listserv
linux
bsd
unix
ntivi
support
icrosoft
admin
spm
fcnz
www
secur
abuse

or containing any of the following substrings in the domain field:

.aero
foo.
.mil
gov.
.gov
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
hotmail
msn.
icrosof
syma
avp
be_loyal:
mozilla
utgers.ed
tanford.e
pgp
acketst
secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
linux
kernel
google
ibm.com
fsf.
gnu
mit.e
bsd
math
unix
berkeley

Other payload

Prepends the following strings to the domain name, in an attempt to locate a mail server:

mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.
gate.

Hooks the Service Descriptor Table to hide its process and file.


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is