McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Mydoom.t.dll

• WORM_MYDOOM.T (Trend)

Characteristics

This new variant, packed with UPX, bears the following characteristics:

• contains its own SMTP engine for constructing messages
• harvests target email addresses from the victim machine
• forges the From: header of outgoing messages
• copies itself to the Kazaa Shared folder

Proactive Detection
This variant is detected on gateway products with enabled program heuristic as New Malware.b with 4328DATs (release date: Feb 25th 2004) or higher (with the scanning of compressed files enabled - default setting).

Details

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The from address is either one of the harvested addresses or constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

The common names used are as follows:

• sandra
• linda
• julie
• jimmy
• jerry
• helen
• debby
• claudia
• brenda
• anna
• alice
• brent
• adam
• ted
• fred
• jack
• bill
• stan
• smith
• steve
• matt
• dave
• dan
• joe
• jane
• bob
• robert
• peter
• tom
• ray
• mary
• serg
• brian
• jim
• maria
• leo
• jose
• andrew
• sam
• george
• david
• kevin
• mike
• james
• michael
• alex
• john

The worm searches for email addresses on the local harddrive within file with these file extensions:

• .wab
• .pl
• .adb
• .tbb
• .dbx
• .asp
• .php
• .sht
• .htm

The virus avoids emailing itself to target domains containing any of the following strings:

• accoun
• google
• certific
• listserv
• ntivi
• support
• icrosoft
• admin
• page
• the.bat
• gold-certs
• ca
• feste
• submit
• not
• help
• service
• privacy
• somebody
• no
• soft
• contact
• site
• rating
• bugs
• me
• you
• your
• someone
• anyone
• nothing
• nobody
• noone
• webmaster
• postmaster
• samples
• info
• root
  

Subject:

The subject can be empty or random, but can also be taken from a hardcoded list. For example, the subject may look like:

• Hi
• hi
• Mali Delivery System
• MAIL TRANSACTION FAILED
• Status
• Test
• TEST
• HELLO
• RE:Test
• my ....
• Document
  

Body:

Like the subject, also the body can be empty or contain random chars, but can also contain strings from a hardcoded list. For example:

• error, check the attachment for more information
• check the attachmetn to get the lastest news.
• !!!!!!!!!!!!, check the attachment !!!.
• loooooool ;)))
• failed to send the email!, check the attachment for more information.
• hello.
• Try Later, Check the Attachment
• (Norton ANti Virus,Panda,Mcafee No Virusses Found).
• come back my friend.
  

Attachment:

The worm attaches itself to the mails using one of the filenames it contains and combines it with one the following file extensions:

• .EXE
• .SCR
• .PIF
• .BAT
• .CMD

The worm is also able to sent itself a ZIP attachment.

Example:

• document.pif
• data.cmd
• readme.zip
• message.exe
• message.zip
• ymcd.pif
• Information.cmd
• Msg.zip
• document.zip
• body.exe
• Error.bat
• text.zip

After execution, the worm copies itself to the \%windir%\system32 folder as TASKER.EXE and created the following registry keys:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\   CurrentVersion\Run "Task" =
  C:\WINNT\System32\tasker.exe

It also drops a NEMOG.DLL to the \%windir%\system32 folder and changes a registry key:

• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF- 9C87-00AA005127ED}\InProcServer32 "(Default)"
  Before: %SystemRoot%\System32\webcheck.dll
  Later: C:\WINNT\System32\Nemog.dll

The DLL has a size of 8192 bytes and will be detected by 4390DATs as W32/Mydoom.t.dll

P2P propagation:

The worm checks wether that Peer-to-Peer client Kazza is installed on the victims system and if found, it places several copies into the 'Shared Folder' using these names:

• Fixtool.exe
• Vaho.exe
• SeX.exe
• cleaner.exe
• mirc.exe
• Wenrar.exe
• kazz.exe
• Winzip.exe
• crack.exe
• Upload.exe
• Vahos.exe
• netsky.exe
• mydoom.exe
• SoBig.exe
• klez.exe
• yahoo hacker.exe
• Hotmail hacker.exe
• ps2 emulator.exe
• xbox emulator.exe
• XXX Videos.exe
• XXX Pictures.exe 
  

Symptoms

• Existance of files and registry keys as mentioned above.
• Network traffic outgoing to port 25

Method of Infection

  This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files as mentioned above.

Addresses obtained are sent the virus.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Mydoom.t.dll

• WORM_MYDOOM.T (Trend)

Characteristics

Characteristics -

This new variant, packed with UPX, bears the following characteristics:

• contains its own SMTP engine for constructing messages
• harvests target email addresses from the victim machine
• forges the From: header of outgoing messages
• copies itself to the Kazaa Shared folder

Proactive Detection
This variant is detected on gateway products with enabled program heuristic as New Malware.b with 4328DATs (release date: Feb 25th 2004) or higher (with the scanning of compressed files enabled - default setting).

Details

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The from address is either one of the harvested addresses or constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

The common names used are as follows:

• sandra
• linda
• julie
• jimmy
• jerry
• helen
• debby
• claudia
• brenda
• anna
• alice
• brent
• adam
• ted
• fred
• jack
• bill
• stan
• smith
• steve
• matt
• dave
• dan
• joe
• jane
• bob
• robert
• peter
• tom
• ray
• mary
• serg
• brian
• jim
• maria
• leo
• jose
• andrew
• sam
• george
• david
• kevin
• mike
• james
• michael
• alex
• john

The worm searches for email addresses on the local harddrive within file with these file extensions:

• .wab
• .pl
• .adb
• .tbb
• .dbx
• .asp
• .php
• .sht
• .htm

The virus avoids emailing itself to target domains containing any of the following strings:

• accoun
• google
• certific
• listserv
• ntivi
• support
• icrosoft
• admin
• page
• the.bat
• gold-certs
• ca
• feste
• submit
• not
• help
• service
• privacy
• somebody
• no
• soft
• contact
• site
• rating
• bugs
• me
• you
• your
• someone
• anyone
• nothing
• nobody
• noone
• webmaster
• postmaster
• samples
• info
• root
  

Subject:

The subject can be empty or random, but can also be taken from a hardcoded list. For example, the subject may look like:

• Hi
• hi
• Mali Delivery System
• MAIL TRANSACTION FAILED
• Status
• Test
• TEST
• HELLO
• RE:Test
• my ....
• Document
  

Body:

Like the subject, also the body can be empty or contain random chars, but can also contain strings from a hardcoded list. For example:

• error, check the attachment for more information
• check the attachmetn to get the lastest news.
• !!!!!!!!!!!!, check the attachment !!!.
• loooooool ;)))
• failed to send the email!, check the attachment for more information.
• hello.
• Try Later, Check the Attachment
• (Norton ANti Virus,Panda,Mcafee No Virusses Found).
• come back my friend.
  

Attachment:

The worm attaches itself to the mails using one of the filenames it contains and combines it with one the following file extensions:

• .EXE
• .SCR
• .PIF
• .BAT
• .CMD

The worm is also able to sent itself a ZIP attachment.

Example:

• document.pif
• data.cmd
• readme.zip
• message.exe
• message.zip
• ymcd.pif
• Information.cmd
• Msg.zip
• document.zip
• body.exe
• Error.bat
• text.zip

After execution, the worm copies itself to the \%windir%\system32 folder as TASKER.EXE and created the following registry keys:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\   CurrentVersion\Run "Task" =
  C:\WINNT\System32\tasker.exe

It also drops a NEMOG.DLL to the \%windir%\system32 folder and changes a registry key:

• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF- 9C87-00AA005127ED}\InProcServer32 "(Default)"
  Before: %SystemRoot%\System32\webcheck.dll
  Later: C:\WINNT\System32\Nemog.dll

The DLL has a size of 8192 bytes and will be detected by 4390DATs as W32/Mydoom.t.dll

P2P propagation:

The worm checks wether that Peer-to-Peer client Kazza is installed on the victims system and if found, it places several copies into the 'Shared Folder' using these names:

• Fixtool.exe
• Vaho.exe
• SeX.exe
• cleaner.exe
• mirc.exe
• Wenrar.exe
• kazz.exe
• Winzip.exe
• crack.exe
• Upload.exe
• Vahos.exe
• netsky.exe
• mydoom.exe
• SoBig.exe
• klez.exe
• yahoo hacker.exe
• Hotmail hacker.exe
• ps2 emulator.exe
• xbox emulator.exe
• XXX Videos.exe
• XXX Pictures.exe 
  

Symptoms

Symptoms -

• Existance of files and registry keys as mentioned above.
• Network traffic outgoing to port 25

Method of Infection

Method of Infection -

  This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files as mentioned above.

Addresses obtained are sent the virus.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A