W32/Mydoom.O@mm creates the following entry in the Windows registry to ensure execution upon each Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "JavaVM" = %windir%\java.exe
The backdoor, in turn, creates the following entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Services" = %windir%\services.exe
E-mails sent by the W32/Mydoom.O@mm have the following characteristics:
The "From:" address is spoofed, the default "From:" address is replaced by a randomly chosen address the worm previously harvested.
The "Subject:" is created using any of the following strings:
hello
hi
error
status
test
report
Delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
W32/Mydoom.O@mm will avoid sending itself to addresses containing any of the following strings:
mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp
The attachment extension can be any of the following:
.scr, .bat, .com, .zip, .exe, .pif, .cmd
In some cases the attachment will be double-zipped.
The worm can choose between a few technical sounding messages as it's e-mail body. The body
can also be blank or a random jumble of data. A typical message sent by the worm looks like the following:
-----
Dear user of [domain],
Your email account has been used to send a huge amount of junk e-mail messages during the last week.
We suspect that your computer had been infected and now contains a trojaned proxy server.
We recommend you to follow the instruction in order to keep your computer safe.
Have a nice day,
The team.
-----
The message was undeliverable due to the following reason:
Your message could not be delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within days:
Mail server is not responding.
--------
The original message was included as attachment
--------
Your message could not be delivered
When active, the worm will search and attempt to close certain windows (that belong to the Outlook program) with the following names:
rctrl_renwnd32
ATH_Note
IEFrame
The backdoor component:
On execution W32/Mydoom.O@mm drops 2 files: the backdoor %windir%\services.exe (detected as W32/Mydoom.O) and a
logfile named "zincite.log" in the users %temp% directory.
The logfile is encrypted and contains a list of IP addresses of other W32/Mydoom.O compromised hosts. When
the backdoor is executed, it will read the logfile and decode it into memory and later append the IP on the infected
system to the logfile.
The backdoor will regularly try to connect to the IP addresses and if it's successful, the
connected IP will be marked in the logfile as still being compromised by W32/Mydoom.O. That way the backdoor
will constantly keep the logfile updated for W32/Mydoom.O@mm to spread.
The backdoor listens on TCP port 1034 for incoming connections. It supports 4 commands that an
un-authorized user can execute:
* The "phone home" command. This command is initiated by other W32/Mydoom.O compromised hosts.
When the backdoor receives this command, it will send the client an up-to-date list of 128 IP
addresses in encprypted form and then adds the IP of the client to it's logfile. When the client
receives the list, it will decode it and add the IPs (if they are new) to it's logfile.
* Send logfile. The backdoor will send the complete logfile to the client. This command differs
from the "phone home" command as the whole logfile will be sent and the client's IP will not
be added to the backdoor's logfile.
* Receive logfile. The backdoor will check the integrity of the logfile and add the IPs
to it's logfile if they are new.
* Upload and execute a file. The backdoor will download a file to the computer's %temp% directory,
execute the file and then delete it.
Note, when the logfile reaches certain size, new IP addresses will less likely be added to the logfile. This is to ensure
that the logfile won't grow too big.
