FRISK Software International


Summary of W32/Mydoom.O@mm
Length: 29 kB
Discovered: 26 Jul 2004
Definition files: 26 Jul 2004
Risk Level: Medium
Distribution:Low
Infection Method:Spreads through e-mail, containing infected attachments.
Payload: Mass-mailing functionality, compromises system security on infected hosts by opening a backdoor access
 
Jump to:
Brief description
Technical description

Brief Description
W32/Mydoom.O@mm is a mass-mailing worm, with backdoor thus allowing un-authorized access to the infected system. It spreads by mass-mailing itself to e-mail addresses harvested from the local computer or by querying on-line search engines such as google.com. E-mails sent out by W32/Mydoom.O@mm have a technical reference in both the subject line and the body of the e-mail, in order to trick the user into executing the infected attachment.

W32/Mydoom.O@mm carries and executes a backdoor on infected systems, this backdoor enables un-authorized access to the host system. This backdoor (detected as W32/Mydoom.O by F-Prot Antivirus) supports several commands, such as uploading and executing a file from remote location along with sending and receiving a logfile of other W32/Mydoom.O compromised hosts.

When executed, W32/Mydoom.O@mm copies itself from the original location to:
%windir%\java.exe

It creates the following files:
%windir%\services.exe
%temp%\zincite.log

The backdoor creates the following file:
%temp%\.log

Note: %windir% will translate to the Windows directory (e.g.: C:\winnt for WinNT/Windows 2000, C:\Windows for WinXP). %temp% will translate to the default temporary folder used by the Windows operation system. Also note the difference between %windir%\services.exe and %windir%\System32\services.exe, where the former is the backdoor but the latter is a necessary Windows program.

W32/Mydoom.O@mm creates the following entry in the Windows registry to ensure execution upon each Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "JavaVM" = %windir%\java.exe

The backdoor, in turn, creates the following entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Services" = %windir%\services.exe

The worm uses the following registry keys, that serve as an infection marker:
HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\Software\Microsoft\Daemon


Technical Description
When initially executed, the W32/Mydoom.O@mm will create a mutex lock that ensures only one instance of the worm is active at any given moment. The worm will copy itself to the %windir% directory under the name of "java.exe", along with dropping the backdoor component to that location under the name of "services.exe".

W32/Mydoom.O@mm creates the following entry in the Windows registry to ensure execution upon each Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "JavaVM" = %windir%\java.exe

The backdoor, in turn, creates the following entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Services" = %windir%\services.exe

If executed on a Windows 9x system (Windows 95, 98, Me), the worm will attempt to register itself as a service process, in order to avoid the process showing up in the "Task manager" on those systems.

Once the worm has finished the installation routine, it will carry out its mass-mailing payload. W32/Mydoom.O@mm uses it's own SMTP routine to send itself to e-mail addresses harvested using 2 methods:
1) Searching files on the infected computer with the following extensions:
ADB, ASP, DBX, DOC, HT*, PHP, PL*, SHT, TBB, TX*, WAB

2) Queries to the following search engines (with varying probability):
www.google.com
search.lycos.com
search.yahoo.com
www.altavista.com

The search string is built from keywords chosen at random, such as "mailto","e-mail","contact" plus the domain part of any e-mail address the worm found previously on the infected system.
For example, if the worm found the address "user@example-domain.com" in a file on the local system, the worm would issue a query using the search string "mailto example-domain".

E-mails sent by the W32/Mydoom.O@mm have the following characteristics:
The "From:" address is spoofed, the default "From:" address is replaced by a randomly chosen address the worm previously harvested.
The "Subject:" is created using any of the following strings:
hello
hi
error
status
test
report
Delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

W32/Mydoom.O@mm will avoid sending itself to addresses containing any of the following strings:
mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp

The attachment extension can be any of the following:
.scr, .bat, .com, .zip, .exe, .pif, .cmd
In some cases the attachment will be double-zipped.

The worm can choose between a few technical sounding messages as it's e-mail body. The body
can also be blank or a random jumble of data. A typical message sent by the worm looks like the following:

-----

Dear user of [domain],

Your email account has been used to send a huge amount of junk e-mail messages during the last week.
We suspect that your computer had been infected and now contains a trojaned proxy server.

We recommend you to follow the instruction in order to keep your computer safe.

Have a nice day,
The team.

-----

The message was undeliverable due to the following reason:

Your message could not be delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message was not delivered within days:
Mail server is not responding.

--------

The original message was included as attachment

--------

Your message could not be delivered

When active, the worm will search and attempt to close certain windows (that belong to the Outlook program) with the following names:
rctrl_renwnd32
ATH_Note
IEFrame


The backdoor component:

On execution W32/Mydoom.O@mm drops 2 files: the backdoor %windir%\services.exe (detected as W32/Mydoom.O) and a logfile named "zincite.log" in the users %temp% directory.

The logfile is encrypted and contains a list of IP addresses of other W32/Mydoom.O compromised hosts. When the backdoor is executed, it will read the logfile and decode it into memory and later append the IP on the infected system to the logfile.

The backdoor will regularly try to connect to the IP addresses and if it's successful, the connected IP will be marked in the logfile as still being compromised by W32/Mydoom.O. That way the backdoor will constantly keep the logfile updated for W32/Mydoom.O@mm to spread.

The backdoor listens on TCP port 1034 for incoming connections. It supports 4 commands that an un-authorized user can execute:

* The "phone home" command. This command is initiated by other W32/Mydoom.O compromised hosts.
When the backdoor receives this command, it will send the client an up-to-date list of 128 IP
addresses in encprypted form and then adds the IP of the client to it's logfile. When the client
receives the list, it will decode it and add the IPs (if they are new) to it's logfile.

* Send logfile. The backdoor will send the complete logfile to the client. This command differs
from the "phone home" command as the whole logfile will be sent and the client's IP will not
be added to the backdoor's logfile.

* Receive logfile. The backdoor will check the integrity of the logfile and add the IPs
to it's logfile if they are new.

* Upload and execute a file. The backdoor will download a file to the computer's %temp% directory,
execute the file and then delete it.

Note, when the logfile reaches certain size, new IP addresses will less likely be added to the logfile. This is to ensure that the logfile won't grow too big.



Bjartmar Kristjansson - Virus analyst FRISK Software Int.
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is