Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/MyDoom.L@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload
Detection files published
Description created 26 Jul 2004 08:19:00
Description updated 26 Jul 2004 08:19:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/MyDoom.L@mm

Spreading

MyDoom.L starts by copying itself to the following locations: %WINDIR%\services.exe%TEMP%\services.exe%WINDIR%\java.exeIt may also create the following files during execution:%TEMP%\zincite.log%TEMP%\tmp0009.TMP%TEMP%\tmp9000.TMP%TEMP%\tmp0009.TMP%TEMP%\tmp9000.TMPThe worm then creates two registry values to ensure it is started with Windows:HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM = C:\WINDOWS\java.exeHKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services = C:\WINDOWS\services.exeMyDoom.L may also create the following registry keys, which are used as infection markers:HKLM\Software\Microsoft\DaemonHKCU\Software\Microsoft\DaemonThe worm then harvests email addresses from files with these extensions:.doc.txt .htm.htmlThe worm will avoid email addresses containing any of these strings:mailer-dspamabusemastersampleaccounprivacycertificbugslistservsubmitntivisupportadminpagethe.batgold-certsfestenothelpfoosoftsiteratingyouyoursomeoneanyonenothingnobodynooneinfowinrarwinziprarsoftsf.netsourceforgeripe.arin.googlegnu.gmailseclistsecurbar.foo.comtrendupdateuslisdomainexamplesophosyahoosperskpandahotmailmsn.msdn.microsoftsarc.symaavpOnce MyDoom has harvested addresses it will start its mass mailing routine. Mails may have the following characteristics:
From
"Postmaster""Mail Administrator""Automatic Email Delivery Software""Post Office""The Post Office""Bounced mail""Returned mail""MAILER-DAEMON""Mail Delivery Subsystem"Subject
helloerrorstatustestreportdelivery failedMessage could not be deliveredMail System Error - Returned MailDelivery reports about your e-mailReturned mail: see transcript for detailsReturned mail: Data format errorBody
The body is created using portions of the following template:{{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},{$T {user |technical |}support team.|The $T {support |}team.}   {The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura-tion parameters.Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.Your message {was not|could not be} delivered within $D days:{{{Mail s|S}erver}|Host} $i is not responding.The following recipients {did|could} not receive this message:Please reply to postmaster@{$F|$T}if you feel this message to be in error.  The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}} Attachment
Attachments are constructed using the following filenames:readmeinstructiontranscriptmailletterfiletextattachmentdocumentmessagepostmasterAnd may have the following extension:.cmd.bat.com.exe.pif.scr

Payload Details

W32/MyDoom.L@mm will drop a backdoor component in the %WINDOWS% folder called services.exe. This opens port 1034 on the infected machine.

Analysis

n/a

Removal

W32/MyDoom.L@mm is detected and removed with definition files later than 26-July-2004. The worm was also detected proactively as W32/EMailWorm by Lumension Sandbox.


Last Updated: 12 Nov 2015 11:06:15