Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/MyDoom.AH@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published
Description created 16 Jan 2005 11:09:00
Description updated 16 Jan 2005 11:09:00
Malware type WORM
Alias Win32.Mydoom.ae
W32/MyDoom-AA
W32.Mydoom.AI@mm
W32/Mydoom.ap@MM
I-Worm.Mydoom.AE
Spreading mechanism EMAIL
OTHER
Summary None

W32/MyDoom.AH@mm

Spreading

When MyDoom.AH is run it copies itself to the %SYSTEM% directory as “lsasrv.exe". It will also create the following files in the %SYSTEM% directory:  version.ini (5 byte text file) hserv.sys (100 byte binary file) The worm will also create a file in the %TEMP% directory called “Mes#wtelw", which it opens using notepad.  Next, the worm ensures it is started each time Windows loads by creating the following registry entries:  HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsass = %SYSTEM%\lsasrv.exe  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = explorer.exe %SYSTEM%\lsasrv.exe The worm then attempts to create a mutex named “-=RTSW.Smash=-“, and will take no further action if the mutex already exists.  MyDoom.AH then modifies the hosts file to prevent access to anti-virus related websites. The following entries are appended to the file:  127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 www.f-secure.com 127.0.0.1 f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 www.nai.com 127.0.0.1 nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 www.trendmicro.com 127.0.0.1 trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 grisoft.com Next the worm attempts to locate any of the following P2P/filesharing programs:  Kazaa Morpheus iMesh eDonkey LimeWire If the worm is successful in locating any of the programs it will copy itself to the P2P share directory using one of these filenames:  icq2004-final activation_crack K-LiteCodecPack2.34a dcom_patches adultpasswds winxp_patch Ad-awareref01R349 avpprokey NeroBROM6.3.1.27 Porno with one of these extensions:  .exe .scr .pif .pif .cmd The worm then harvests email addresses from the Windows Address Book, and from files with the following extensions:  .adb .tbb .dbx .asp .edm .vbs .wml .jst .tpl .con .vbp .csp .asm .asc .dwt .lbi .rdf .rss .xst .xsd .dlt .xml .jsp .inc .ssi .stm .xht .htc .hta .cgi .php .sht .htm The worm avoids mail address where the domain name contains any of these strings:  info samples postmaster webmaster noone nobody nothing anyone someone your you me bugs rating site contact soft no somebody privacy service help not submit feste ca gold-certs the.bat page icrosoft support ntivi unix bsd linux listserv certific google accoun Then, the worm uses its own SMTP engine to send mails to the harvested addresses. The mails have the following characteristics:  Subject  Error Status Server Mail Transaction Failed Attention!!! Mail Delivery System Hello Do not reply to this email Body  Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Attention! New self-spreading virus!Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more. To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.® 2004 Networks Associates Technology, Inc. All Rights Reserved New terms and conditions for credit card holdersHere a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web. Thank you,The World Bank Group® 2004 The World Bank Group, All Rights Reserved Thank you for registering at WORLDXXXPASS.COMAll your payment info, login and password you can find in the attachment file.It's a real good choise to go to WORLDXXXPASS.COM  Attention! Your IP was logged by The Internet Fraud Complaint CenterYour IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center  Here is your documents you are requested. Attachment  The filename of the attachment is either:  body message docs data file rules doc readme document With one of the following extensions:  .exe .scr .pif .cmd .zip

Payload Details

MyDoom.AH  will attempt to stop certain malware and security software by terminating processes with any of these names:  msblast.exe zapro.exe navw32.exe navapw32.exe zonealarm.exe outpost.exe wincfg32.exe taskmon.exe PandaAVEngine.exe sysinfo.exe mscvb32.exe MSBLAST.exe teekids.exe Penis32.exe bbeagle.exe SysMonXP.exe winupd.exe winsys.exe ssate.exe rate.exe d3dupdate.exe irun4.exe i11r54n4.exe

Analysis

n/a

Removal

The worm was detected proactively as W32/P2PWorm by Lumension SandBox.


Last Updated: 12 Nov 2015 11:06:15