Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/MyDoom.A@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Denial-of-service attack / backdoor functionality
Detection files published 26 Jan 2004 03:00:00
Description created 26 Jan 2004 02:39:00
Description updated 27 Jan 2004 07:22:00
Malware type WORM
Alias Novarg.A
Shimg.A
Mimail.R
Spreading mechanism EMAIL
Summary None

W32/MyDoom.A@mm

Spreading

The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice.
It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted.
The worm creates the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
ComDlg32\Version
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
ComDlg32\Version
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon =
[SYSTEM] askmon.exe
or
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon =
[SYSTEM] askmon.exe
The worm now checks the registry key
HLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well.
Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to.
A file called SHIMGAPI.DLL is also installed to the Windows System directory. The installed DLL inserts the follwing registry key:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InprocServer32 = shimgapi.dll
This has the effect that the DLL is loaded along with the operating system at startup.
When the worm executes, it will usually display some garbage data via Notepad.
The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality.
Wordlist 1: Filenames used when creating files in Kazaa-directories winamp5
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
Wordlist 2: Extensions used when creating file in Kazaa directories *.bat
*.exe
*.scr
*.pif
Wordlist 3: Possible email subject fields random letters
"Error"
"Status"
"Server report"
"Mail Transaction Failed"
"Mail Delivery System"
"Hello"
"Hi"
Wordlist 4: Possible email text no body text
random garbage text
"Mail transaction failed. Partial message is available."
"The message contains Unicode characters and has been sent as a binary attachment."
"The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
"test"
Wordlist 5: Possible file names used for mail attachments Random letter combination
"Message"
"Doc"
"Test"
"Body"
"Data"
"File"
"Text"
"Readme"
"Document"
Wordlist 6: Possible file extensions for mail attachments zip
bat
cmd
exe
scr
pif

Note:

When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name.
Wordlist 7: File types searched for email addresses wab
pl
adb
tbb
dbx
asp
php
sht
htm
txt
Wordlist 8: Names used for guessing addresses sandra
linda
julie
jimmy
jerry
helen
debby
claudia
brenda
anna
alice
brent
adam
ted
fred
jack
bill
stan
smith
steve
matt
dave
dan
joe
jane
bob
robert
peter
tom
ray
mary
serg
brian
jim
maria
leo
jose
andrew
sam
george
david
kevin
mike
james
michael
alex
john

Payload Details

Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site.
The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15