placement for flash
Skip Navigation Links Home > Products > eSafe > Attack Intelligence Research Center > Alert Details
NameWin32.MyDoom.f
Threat Level
AliasWin32.MyDoom.f,W32.Mydoom.F@mm, W32/Mydoom.f@MM, WORM_MYDOOM.F, W32/MyDoom-F
Date22 February, 2004
TypeWin32,Worm,Trojan
DamageCreate files,Send Email,Remote control,Delete files
PlatformWin 95,Win 98,Win ME,Win NT,Win 2K,Win XP
Analysis Win32.MyDoom.f is a mass-mailing worm, one of the variants of Win32.MyDoom.a. It opens a backdoor on the infected machine, opens TCP port 1080 for listening and may also delete important files found on the system. Each month, between the 17th and the 22nd, the worm will perform a DoS (Denial of Service) against either www.microsoft.com or www.riaa.com.



The arriving email will have the following characteristics:
Sender: The sender's information will be spoofed (forged) by the worm.



Subject: The subject of this mail may be blank, or any of the following:

Accident
Announcement
Approved
Attention
automatic notification
automatic responder
Confirmation
Confirmation Required
Current Status
Details
Expired account
For you
For your information
forget
Hello
Hi
hi, it's me
Important
Information
Love is
Love is...
Notification
please read
please reply
Re:
Re: Approved
Re: Details
Re: Thank you
Read it immediately
Read it immediately!
read now!
Read this
Read this message
Readme
recent news
Registration confirmation
Returned Mail
Schedule
Something for you
stolen
Thank you
Thank You very very much
Undeliverable message
unknown
Wanted
Warning
You have 1 day left
You use illegal File Sharing...
Your account has expired
Your account is about to be expired
Your credit card
Your IP was logged
Your order is being processed
Your order was registered
Your request is being processed
Your request was registered




Message body: The body of this mail will be any of the following:

Check the attached document.
Details are in the attached document. You need Microsoft Office to open it.
Everything ok?
Greetings
Here is the document.
Here it is
I have your password :)
I wait for your reply.
I'm waiting
Information about you
Is that from you?
Is that yours?
Kill the writer of this document!
OK
Okay
Please see the attached file for details
Please, reply
Read the details.
Reply
See the attached file for details
See you
Something about you
Take it
The document was sent in compressed format.
We have received this document from your e-mail.
You are a bad writer
You are bad




Attached File: The filename may be a random string or selected from an internal list of filenames. The file's extension will be one of the following:

.bat
.cmd
.com
.exe
.pif
.scr
.zip

Notes: The ZIP file is an archive containing the worm with one of the other file extensions. The name of the ZIP file will be identical to that of the archived file.




Malicious activity
When the worm is executed it does the following:

1. The worm may open Notepad and display random data. Otherwise, it will display the following false error message:

Title: Error

Message: Any of the following:

File cannot be opened
File is corrupted
Unable to open specified file

2. Drops a copy of itself to the default System folder. The copy will have a randomly generated filename with the .EXE extension.

3. Creates a randomly named .DLL file into the default System folder which serves as the worm's backdoor component. The file opens TCP port 1080 for listening and can also terminate several security related applications.

4. Creates one of the following registry entries in order to run on startup:

HKEY_CURRENT_USER\Software\Microsft\Windows\ CurrentVersion\Run
"[random letters]" = "sysdir\[worm's filename]"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
"[random letters]" = "sysdir\[worm's filename]"

5. The worm will also create the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Shell

6. Each month, between the 17th and the 22nd the worm will launch a DoS attack. 2 out of 3 attacks will be launched against www.microsoft.com while the rest will be against www.riaa.com.

7. Searches for all default System folders (usually System or System32) and deletes files contained within with the following extensions:

.avi
.bmp
.doc
.jpg
.mdb
.sav
.xls

8. Finally, the worm then harvests e-mail addresses found on the system and sends itself to them. The worm avoids sending itself to several predetermined addresses, if found.




eSafe Users
eSafe users are protected against this vandal using the latest vandal/virus update.

A new vandal/virus update is available.
Update date: February 22, 2004
Update version: EV115-SV300

eSafe Gateway and eSafe Mail Users
Your product will be automatically updated.
You can also use the "Update now" option from within the product eConsole.



New Users
More information about eSafe Content Security Products as well as trial versions is available from here.

 
 

 
 
© Aladdin Knowledge Systems Ltd. 1985-2009. All rights reserved.