Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/MyDoom.M@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity NONE NONE
Payload
Detection files published 15 Aug 2004 03:00:00
Description created 16 Aug 2004 12:42:00
Description updated 16 Aug 2004 12:42:00
Malware type WORM
Alias Win32.Mydoom.S [Computer Associates]
W32/Mydoom.R@mm [F-secure]
W32/Mydoom.s@MM [McAfee]
W32/Mydoom.R.worm [Panda]
W32/MyDoom-S [Sophos]
W32.Mydoom.Q@mm [Symantec]
WORM_RATOS.A [Trend Micro]
Spreading mechanism EMAIL
Summary None

W32/MyDoom.M@mm

Spreading

n/a

Payload Details

n/a

Analysis

The following is a portion of the instant analysis done by the Lumension Sandbox Technology: [ General information ] * Creating several executable files on hard-drive. * File length: 27136 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\rasor38a.dll. * Creates file C:\WINDOWS\SYSTEM\winpsd.exe. * Deletes file C:\WINDOWS\SYSTEM\winpsd.exe. * Creates file C:\WINDOWS\winvpn32.exe. [ Changes to registry ] * Reads SMTP Email Address in key "HKCU\Software\Microsoft\Internet Account Manager\Accounts\unreal". * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\Version". * Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\Version". * Creates value "winpsd"="C:\WINDOWS\SYSTEM\winpsd.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Sets value "InstaledFlashhMX"="" in key "HKCU\Software\Microsoft\Internet Explorer". [ Network services ] * Looks for an Internet connection. * Connects to "CONFIGURED_DNS" on port 53 (UDP). * Downloads file from [webserver]/ispy.1.jpg as C:\WINDOWS\winvpn32.exe. * Connects to POP3 server on port 25 (TCP). * **Connects SMTP server. [ Network ] * **Uses IPHLPAPI services. [ Spreading through EMail ] * To : [Harvested addresses] * From : [SMTP address found in registry]. * Subject: photos. * Mass-mailer; spreads through SMTP. [ Process/window information ] * Will automatically restart after boot (I'll be back...). * Attemps to open C:\WINDOWS\winvpn32.exe .

Removal

The worm was detected proactively by Lumension Sandbox as W32/EMailWorm.


Last Updated: 12 Nov 2015 11:06:11