Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/MyDoom.AQ@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Installs backdoor trojan.
Detection files published
Description created 16 Feb 2005 11:24:00
Description updated 16 Feb 2005 11:24:00
Malware type WORM
Alias W32.Mydoom.AX@mm (Symantec); WORM_MYDOOM.BB (Trend); W32/Mydoom.bb@MM (Mcafee); Email-Worm.Win32.Mydoom.m (Kaspersky)
Spreading mechanism EMAIL
Summary None

W32/MyDoom.AQ@mm

Spreading

When the worm is first executed, it copies itself to the Windows folder using the name JAVA.EXE. In addition it extracts and installs a trojan with filename SERVICES.EXE in the same folder. Keys are created in registry to make sure these files are started from bootup.
It proceeds to gather email addresses, and send mails with itself as attachment, to these.

File system changes:

Creates file \JAVA.EXE
Creates file \SERVICES.EXE

Registry changes:

Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run JavaVM = \JAVA.EXE
Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services = \SERVICES.EXE
Creates key HKCU\Software\Microsoft\Windows\Daemon
Creates key HKLM\Software\Microsoft\Windows\Daemon
Email addresses are gathered from *.doc, *.txt, *.htm and *.html files present locally, as well as from web searches performed through Lycos, Altavista, Yahoo and Google. Emails are quite variable, based on combinations of strings found in the worm body.
Attachment is either an executable file with cmd, bat, com, exe, pif or scr extension, or a zip archive with the executable inside.
The worm attempts to download and install a backdoor trojan from http://www.aoprojecteden.org/xxxxremovedxxxx/modulelogo.png

Payload Details

The worm installs a trojan horse, and also downloads another trojan horse and installs it. These trojans are already detected by Lumension antivirus products as W32/Zincite.A and W32/Nemog.D.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15