Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/MyDoom.F@mm

Overview

Threat Risk NONE NONE
Destructivity HIGH HIGH
Payload Backdoor function, denial of service, file deletion
Detection files published
Description created 24 Feb 2004 12:23:00
Description updated 25 Feb 2004 01:51:00
Malware type WORM
Alias
Spreading mechanism EMAIL
NETWORK
OTHER
Summary None

W32/MyDoom.F@mm

Spreading

The worm installs itself in memory and creates the mutex "jmydoat[computername]Xmtx" to avoid being loaded twice.
It copies itself to the Windows System directory under a random name. It will also create a file with random name and a DLL extension in the Windows System directory. This is the backdoor component of the worm.
The worm creates the following registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionShell
HKCUSoftwareMicrosoftWindowsCurrentVersionShell
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  [random string] = [systemdir][random name].exe
or
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  [random string] = [systemdir][random name].exe
The worm will randomly (70% chance) display an error message when run:
"File is corrupted"
or
"File cannot be opened"
or
"Unable to open specified file"
If not (30% chance), it will create a garbage file and display this in Notepad.
Main spreading function is by email. MyDoom.F searches through several types of files hunting for email addresses to send itself to. Files searched are files of type found in the word list WL1. The worm avoids email addresses that contain strings from the word lists WL3 and 4. The worm search algorithm looks in:
Windows System, 15 subfolders down[WINDIR]Temporary Internet Files, 5 subfolders down[USERPROFILE]Local Settings, 5 subfolders downLocal fixed and RAMdrives, 15 subfolders downRemote drives, 5 subfolders down.This traversal algorithm, while used to harvest emailaddresses, it is also used for the destructive payload. The worm will look for and sometimes delete files of file types mentioned in WL2.
Note: Mails may have fake FROM: addresses. "You have sent a virus" warnings from mail scanners are usually not correct.
Secondary spreading function is by local area network and P2P software. This worm copies itself using randomly named files (either .exe or .zip) to local and remote drives, to folders that contain the strings "start", "shar", and "startup". Folders containing "shar" will often be folders used by Peer-to-Peer software such as Kazaa and Imesh. Files located in these folders are visible and downloadable for other users on the P2P networks.
Wordlist 1: Filetypes searched for email addresses.any file containing the string "inbox"
htm
sht
php
asp
dbx
tbb
adb
eml
pl
msg
vbs
mht
oft
uin
rtf
ods
mmf
nch
mbx
wab
Wordlist 2: Filetypes deleted.mdb, 97% chance of deletion every pass
doc, 39% chance of deletion every pass
xls, 59% chance of deletion every pass
sav, 94% chance of deletion every pass
jpg, 7% chance of deletion every pass
avi, 9% chance of deletion every pass
bmp, 14% chance of deletion every pass
Wordlist 3: Avoided strings when part of email domain:syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydoma
nodoma
ruslis
.gov
gov.
.mil
foo.
suppo
essagela
nai.co
isi.e
isc.o
secur
acketst
pgp
ibm.com
google
kernel
linux
fido
usenet
sourcef
slashdot
sun.com
sgi.com
solaris
irix
iana
ietf
rfc-ed
sendmail
arin.
ripe.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
tanford.e
utgers.ed
mozilla
Wordlist 4: Avoided strings when part of email address:root
info
samples
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
spm
spam
www
secur
abus
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
contact
master
Wordlist 5: Possible email subject fieldsnone
test
hi
hello
Returned mail
Confirmation required
Confirmation
registration confirmation
please reply
please read
read this message
readme
Important
Your account has expired
Expired account
notification
automatic responder
automatic notification
you have 1 day left
warning
information
for your information
for you
something for you
read it immediately
read this
read it immediately!
your credit card
schedule
accident
attention
stolen
news
recent news
wanted
fake
unknown
bug
forget
read now!
current status
your request is being processed
your order is being processed
your request was registered
your order was registered
re:
undeliverable message
love is...
love is
your account is about to be expired
your IP was logged
you use illegal file sharing...
thank you very very much
hi, it’s me
approved
re: approved
details
re: details
thank you
re: thank you
announcement
Wordlist 6: Possible email text."test"
"Details are in the attached document. You need Microsoft Office to open it."
"See the attached file for details"
"Please see the attached file for details"
"The document was sent in compressed format."
"Check the attached document."
"Everything ok?"
"OK"
"Okay"
"I’m waiting"
"Read the details."
"Here is the document."
"You are bad"
"Take it"
"Reply"
"Please, reply"
"Information about you"
"Greetings"
"See you"
"Here it is"
"We have received this document from your e-mail."
"Kill the writer of this document!"
"Something about you"
"I have your password :)"
"You are a bad writer"
"Is that yours?"
"Is that from you?"
"I wait for your reply."
Wordlist 7: Possible file names used for mail attachmentsmsg
doc
document
readme
text
file
data
test
message
body
details
creditcard
attachment
stuff
me
post
posting
textfile
info
information
note
notes
product
bill
check
ps
money
about
story
mail
list
joke
jokes
friend
site
website
object
mail2
part1
part4
part2
part3
misc
disc
paypal
approved
details
your_document
image
resume
photo
Wordlist 8: Possible last file extensions for mail attachments. (There may be double extensions)cmd
bat
pif
com
scr
exe
zip
Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name.

Payload Details

Depending on a date trigger (between 17th and 22nd any month), the worm will perform a denial-of-service attack against www.microsoft.com or www.riaa.com.
If this triggers, it will check every minute whether it is connected to Internet. If it is, attack threads conducting web accesses will be initiatied against www.microsoft.com (68% chance) or against www.riaa.com (32% chance).
The worm’s file deletion is performed as part of its address search algorithm. While looking for email addresses, the worm will randomly delete files of the file type mentioned in WL2.
The installed DLL backdoor listens on port 1080.
The worm also enumerates and shuts down a number of processes.

Analysis

n/a

Removal

This worm was proactively detected using the Lumension Sandbox technology.


Last Updated: 12 Nov 2015 11:06:11