W32/Mydoom.O@mm creates the following entry in the Windows registry to ensure execution upon each Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "JavaVM" = %windir%\java.exe
The backdoor, in turn, creates the following entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Services" = %windir%\services.exe
E-mails sent by the W32/Mydoom.O@mm have the following characteristics:
The "From:" address is spoofed, the default "From:" address is replaced by a randomly chosen address the worm previously harvested.
The "Subject:" is created using any of the following strings:
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
W32/Mydoom.O@mm will avoid sending itself to addresses containing any of the following strings:
The attachment extension can be any of the following:
.scr, .bat, .com, .zip, .exe, .pif, .cmd
In some cases the attachment will be double-zipped.
The worm can choose between a few technical sounding messages as it's e-mail body. The body
can also be blank or a random jumble of data. A typical message sent by the worm looks like the following:
Dear user of [domain],
Your email account has been used to send a huge amount of junk e-mail messages during the last week.
We suspect that your computer had been infected and now contains a trojaned proxy server.
We recommend you to follow the instruction in order to keep your computer safe.
Have a nice day,
The message was undeliverable due to the following reason:
Your message could not be delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within days:
Mail server is not responding.
The original message was included as attachment
Your message could not be delivered
When active, the worm will search and attempt to close certain windows (that belong to the Outlook program) with the following names:
The backdoor component:
On execution W32/Mydoom.O@mm drops 2 files: the backdoor %windir%\services.exe (detected as W32/Mydoom.O) and a
logfile named "zincite.log" in the users %temp% directory.
The logfile is encrypted and contains a list of IP addresses of other W32/Mydoom.O compromised hosts. When
the backdoor is executed, it will read the logfile and decode it into memory and later append the IP on the infected
system to the logfile.
The backdoor will regularly try to connect to the IP addresses and if it's successful, the
connected IP will be marked in the logfile as still being compromised by W32/Mydoom.O. That way the backdoor
will constantly keep the logfile updated for W32/Mydoom.O@mm to spread.
The backdoor listens on TCP port 1034 for incoming connections. It supports 4 commands that an
un-authorized user can execute:
* The "phone home" command. This command is initiated by other W32/Mydoom.O compromised hosts.
When the backdoor receives this command, it will send the client an up-to-date list of 128 IP
addresses in encprypted form and then adds the IP of the client to it's logfile. When the client
receives the list, it will decode it and add the IPs (if they are new) to it's logfile.
* Send logfile. The backdoor will send the complete logfile to the client. This command differs
from the "phone home" command as the whole logfile will be sent and the client's IP will not
be added to the backdoor's logfile.
* Receive logfile. The backdoor will check the integrity of the logfile and add the IPs
to it's logfile if they are new.
* Upload and execute a file. The backdoor will download a file to the computer's %temp% directory,
execute the file and then delete it.
Note, when the logfile reaches certain size, new IP addresses will less likely be added to the logfile. This is to ensure
that the logfile won't grow too big.