Content

W32/Mydoom.ae@MM

Type
Virus
SubType
E-mail
Discovery Date
10/17/2004
Length
51,712 bytes
Minimum DAT
4400 (10/20/2004)
Updated DAT
4566 (08/24/2005)
Minimum Engine
5.1.00
Description Added
10/18/2004
Description Modified
10/18/2004 10:38 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a mass-mailing worm that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • contains a backdoor component (see below)
  • Modifies the HOSTS file
  • Downloads W32/Scran.worm (P2P worm)

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Fw:Information
  • read now!
  • Fw:Warning
  • Re:Warning
  • Warning
  • Fw:Notification
  • Re:Notification
  • Notification
  • Fw:Document
  • Re:Document
  • Document
  • Fw:Important
  • Re:Important
  • Important
  • Re:Information
  • Information
  • Re:Details
  • Details
  • Announcement

Body:  (Varies, such as)  

  • Daily Report.
  • your document.
  • here is the document.
  • Reply
  • Important Information.
  • Kill the writer of this document!
  • Details are in the attached document.
  • See the attached file for details
  • Please see the attached file for details
  • Check the attached document.
  • Monthly news report.
  • Please confirm!.
  • Please read the attached file!.
  • Please see the attached file for details.
  • Waiting for a Response. Please read the attachment.
  • Please answer quickly!.

Attachment:   (often arrives in a ZIP archive )

  • attachment.doc
  • notes.doc
  • notedoc
  • text.doc
  • data.doc
  • list.doc
  • archive.doc
  • error.doc
  • check.doc
  • file.doc
  • message.doc
  • letter.doc
  • information.doc
  • msg.doc
  • news.doc
  • report.doc
  • document.doc                   

In the case of two file extensions, multiple spaces may be inserted as well, for example:

  • %filename.doc%   (many spaces)  %2ndExt%

The 2nd extension can be any one of the following:

  • .cpl
  • .scr
  • .pif

Target mail addresses are gathered from files with the following file extensions:

  • wab
  • pl
  • adbh
  • tbbg
  • dbxn
  • aspd
  • phpq
  • sht
  • vbs
  • cfg
  • eml
  • cgi
  • wsh
  • msg
  • uin
  • xls
  • jsp
  • xml
  • mdx
  • mbx
  • html
  • htmb
  • txt

When this file is run (manually), it copies itself to the Windows System directory as AVPR.EXE.

  • %SysDir% \AVPR.EXE


(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)


It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "Avpr" = %SysDir% \AVPR.EXE

The virus uses a DLL that it creates in the Windows System directory:

  •  %SysDir% \TCP5424.dll (5,632 bytes)

This DLL is injected into EXPLORER.EXE upon reboot via these registry keys:

  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir% \TCP5424.dll

Peer To Peer Propagation
 The worm attempts to download and execute a file SCRAN.JPG from a remote site. This remote file is renamed to SCRAN.EXE and copied to C: This file carries a P2P worm and is detected as W32/Scran.worm with the 4400 dats.

Remote Access Component
 The DLL component acts as a Backdoor which opens a connection on TCP port 5424.

Symptoms

  • Upon executing the virus, Notepad is opened, filled with nonsense characters
  • Existence of the files and registry entry listed above

  • The HOSTS file is appended to redirect traffic to the following sites:
    • www.trendmicro.com
    • trendmicro.com
    • rads.mcafee.com
    • customer.symantec.com
    • liveupdate.symantec.com
    • us.mcafee.com
    • updates.symantec.com
    • update.symantec.com
    • www.nai.com
    • nai.com
    • secure.nai.com
    • dispatch.mcafee.com
    • download.mcafee.com
    • www.my-etrust.com
    • my-etrust.com
    • mast.mcafee.com
    • ca.com
    • www.ca.com
    • networkassociates.com
    • www.networkassociates.com
    • avp.com
    • www.kaspersky.com
    • www.avp.com
    • kaspersky.com
    • www.f-secure.com
    • f-secure.com
    • viruslist.com
    • www.viruslist.com
    • liveupdate.symantecliveupdate.com
    • mcafee.com
    • www.mcafee.com
    • sophos.com
    • www.sophos.com
    • symantec.com
    • securityresponse.symantec.com
    • www.symantec.com
    • www.pandasoftware.com

Method of Infection

This worm tries to spread via email using its own SMTP engine

The worm avoids certain address, those using the following strings:

  • google
  • certific
  • listserv
  • ntivi
  • support
  • icrosoft
  • admin
  • page
  • the.bat
  • gold-certs
  • feste
  • submit
  • help
  • service
  • privacy
  • somebody
  • soft
  • contact
  • site
  • rating
  • bugs
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • webmaster
  • postmaster
  • samples
  • info
  • root
  • be_loyal:
  • mozilla
  • utgers.ed
  • tanford.e
  • acketst
  • isc.o
  • isi.e
  • ripe.
  • arin.
  • sendmail
  • rfc-ed
  • ietf
  • iana
  • usenet
  • fido
  • linux
  • ernel
  • ibm.com
  • fsf.
  • mit.e
  • math
  • unix
  • berkeley
  • foo.
  • .mil
  • gov.
  • .gov
  • ruslis
  • nodomai
  • mydomai
  • example
  • inpris
  • borlan
  • sopho
  • panda
  • icrosof
  • syma
  • .edu
  • -._!
  • -._!@
  • abuse
  • secur
  • spam

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a mass-mailing worm that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • contains a backdoor component (see below)
  • Modifies the HOSTS file
  • Downloads W32/Scran.worm (P2P worm)

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Fw:Information
  • read now!
  • Fw:Warning
  • Re:Warning
  • Warning
  • Fw:Notification
  • Re:Notification
  • Notification
  • Fw:Document
  • Re:Document
  • Document
  • Fw:Important
  • Re:Important
  • Important
  • Re:Information
  • Information
  • Re:Details
  • Details
  • Announcement

Body:  (Varies, such as)  

  • Daily Report.
  • your document.
  • here is the document.
  • Reply
  • Important Information.
  • Kill the writer of this document!
  • Details are in the attached document.
  • See the attached file for details
  • Please see the attached file for details
  • Check the attached document.
  • Monthly news report.
  • Please confirm!.
  • Please read the attached file!.
  • Please see the attached file for details.
  • Waiting for a Response. Please read the attachment.
  • Please answer quickly!.

Attachment:   (often arrives in a ZIP archive )

  • attachment.doc
  • notes.doc
  • notedoc
  • text.doc
  • data.doc
  • list.doc
  • archive.doc
  • error.doc
  • check.doc
  • file.doc
  • message.doc
  • letter.doc
  • information.doc
  • msg.doc
  • news.doc
  • report.doc
  • document.doc                   

In the case of two file extensions, multiple spaces may be inserted as well, for example:

  • %filename.doc%   (many spaces)  %2ndExt%

The 2nd extension can be any one of the following:

  • .cpl
  • .scr
  • .pif

Target mail addresses are gathered from files with the following file extensions:

  • wab
  • pl
  • adbh
  • tbbg
  • dbxn
  • aspd
  • phpq
  • sht
  • vbs
  • cfg
  • eml
  • cgi
  • wsh
  • msg
  • uin
  • xls
  • jsp
  • xml
  • mdx
  • mbx
  • html
  • htmb
  • txt

When this file is run (manually), it copies itself to the Windows System directory as AVPR.EXE.

  • %SysDir% \AVPR.EXE


(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)


It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "Avpr" = %SysDir% \AVPR.EXE

The virus uses a DLL that it creates in the Windows System directory:

  •  %SysDir% \TCP5424.dll (5,632 bytes)

This DLL is injected into EXPLORER.EXE upon reboot via these registry keys:

  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir% \TCP5424.dll

Peer To Peer Propagation
 The worm attempts to download and execute a file SCRAN.JPG from a remote site. This remote file is renamed to SCRAN.EXE and copied to C: This file carries a P2P worm and is detected as W32/Scran.worm with the 4400 dats.

Remote Access Component
 The DLL component acts as a Backdoor which opens a connection on TCP port 5424.

Symptoms

Symptoms -

  • Upon executing the virus, Notepad is opened, filled with nonsense characters
  • Existence of the files and registry entry listed above

  • The HOSTS file is appended to redirect traffic to the following sites:
    • www.trendmicro.com
    • trendmicro.com
    • rads.mcafee.com
    • customer.symantec.com
    • liveupdate.symantec.com
    • us.mcafee.com
    • updates.symantec.com
    • update.symantec.com
    • www.nai.com
    • nai.com
    • secure.nai.com
    • dispatch.mcafee.com
    • download.mcafee.com
    • www.my-etrust.com
    • my-etrust.com
    • mast.mcafee.com
    • ca.com
    • www.ca.com
    • networkassociates.com
    • www.networkassociates.com
    • avp.com
    • www.kaspersky.com
    • www.avp.com
    • kaspersky.com
    • www.f-secure.com
    • f-secure.com
    • viruslist.com
    • www.viruslist.com
    • liveupdate.symantecliveupdate.com
    • mcafee.com
    • www.mcafee.com
    • sophos.com
    • www.sophos.com
    • symantec.com
    • securityresponse.symantec.com
    • www.symantec.com
    • www.pandasoftware.com

Method of Infection

Method of Infection -

This worm tries to spread via email using its own SMTP engine

The worm avoids certain address, those using the following strings:

  • google
  • certific
  • listserv
  • ntivi
  • support
  • icrosoft
  • admin
  • page
  • the.bat
  • gold-certs
  • feste
  • submit
  • help
  • service
  • privacy
  • somebody
  • soft
  • contact
  • site
  • rating
  • bugs
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • webmaster
  • postmaster
  • samples
  • info
  • root
  • be_loyal:
  • mozilla
  • utgers.ed
  • tanford.e
  • acketst
  • isc.o
  • isi.e
  • ripe.
  • arin.
  • sendmail
  • rfc-ed
  • ietf
  • iana
  • usenet
  • fido
  • linux
  • ernel
  • ibm.com
  • fsf.
  • mit.e
  • math
  • unix
  • berkeley
  • foo.
  • .mil
  • gov.
  • .gov
  • ruslis
  • nodomai
  • mydomai
  • example
  • inpris
  • borlan
  • sopho
  • panda
  • icrosof
  • syma
  • .edu
  • -._!
  • -._!@
  • abuse
  • secur
  • spam

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A