ALIASES:

Mydoom, MyDoom

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via email, Propagates via peer-to-peer networks, Propagates via network shares

MYDOOM is a family of worms known for its mass-mailing capabilities. It propagates via network shares, email, and by exploiting vulnerabilities. Some variants also propagate via peer-to-peer (P2P) networks.

When executed, MYDOOM gathers information such as email addresses, user names, and domain names from the affected system's Windows Address Book and Temporary Internet Files folder. The stolen information is used to create more email addresses by prepending certain strings to the addresses gathered. MYDOOM then sends copies of itself via email, using its own Simple Mail Transfer Protocol (SMTP) engine.

A MYDOOM variant was used in DDOS attacks against websites in the US and South Korea in 2009. The said worm has the capability to delete certain network analysis tools, preventing early detection and deletion.

MYDOOM is also known for its "bot war" with another mass-mailing family of worms, NETSKY.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Gathers information

Installation

This worm drops the following files:

  • %System%\lsasvc.exe
  • %Windows%\services.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

  • %System Root%\csrss.exe
  • %Windows%\java.exe
  • %Windows%\rasor38a.dll

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update = "{malware path}\{malware name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
JavaVM = "%Windows%\java.exe"

NOTES:

It drops csrss.exe to the follwing network shared folder:

  • ADMIN$