MYDOOM
Mydoom, MyDoom
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Propagates via email, Propagates via peer-to-peer networks, Propagates via network shares
MYDOOM is a family of worms known for its mass-mailing capabilities. It propagates via network shares, email, and by exploiting vulnerabilities. Some variants also propagate via peer-to-peer (P2P) networks.
When executed, MYDOOM gathers information such as email addresses, user names, and domain names from the affected system's Windows Address Book and Temporary Internet Files folder. The stolen information is used to create more email addresses by prepending certain strings to the addresses gathered. MYDOOM then sends copies of itself via email, using its own Simple Mail Transfer Protocol (SMTP) engine.
A MYDOOM variant was used in DDOS attacks against websites in the US and South Korea in 2009. The said worm has the capability to delete certain network analysis tools, preventing early detection and deletion.
MYDOOM is also known for its "bot war" with another mass-mailing family of worms, NETSKY.
TECHNICAL DETAILS
Yes
Gathers information
Installation
This worm drops the following files:
- %System%\lsasvc.exe
- %Windows%\services.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)
It drops the following copies of itself into the affected system:
- %System Root%\csrss.exe
- %Windows%\java.exe
- %Windows%\rasor38a.dll
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update = "{malware path}\{malware name}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
JavaVM = "%Windows%\java.exe"
NOTES:
It drops csrss.exe to the follwing network shared folder:
- ADMIN$