WORM_MYDOOM.GEN
Worm:Win32/Mydoom.O@mm (Microsoft), Email-Worm.Win32.Mydoom.m (Kaspersky), W32.Mydoom.M@mm (Symantec), W32/Mydoom.o@MM (McAfee), Email-Worm:W32/Mydoom.gen!A (Fsecure), W32/Mydoom.M!dam (Fortinet), W32/Mydoom.O@mm (Fprot), Email-Worm.Win32.Mydoom (Ikarus), Win32/Mydoom.R worm (Eset), W32/Mydoom.N.worm (Panda),
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This worm may arrive via network shares.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %Windows%\java.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It drops the following component file(s):
- %Windows%\services.exe - also detected as WORM_MYDOOM.GEN
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
JavaVM = "%Windows%\java.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Services = "%Windows%\services.exe"
Other System Modifications
This worm adds the following registry keys as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Daemon
Propagation
This worm gathers target email addresses from files with the following extensions:
- .doc
- .txt
- .htm
- .html
It avoids sending email messages to addresses containing the following strings:
- mailer-d
- abuse
- master
- sample
- accoun
- privacycertific
- listserv
- submit
- ntivi
- support
- admin
- the.bat
- gold-certs
- feste
- rating
- someone
- anyone
- nothing
- nobody
- noone
- winrar
- winzip
- rarsoft
- sf.net
- sourceforge
- ripe.
- arin.
- gmail
- seclist
- secur
- foo.com
- trend
- update
- uslis
- domain
- example
- sophos
- yahoo
- spersk
- panda
- hotmail
- msdn.
- microsoft
- sarc.
NOTES:
The email message it sends out may have the following characteristics: From:
- postmaster@{target domain}
- MAILER-DAEMON@{target domain}
- noreply@{target domain}
It uses the following display names:
- Postmaster
- Mail Administrator
- Automatic Email Delivery Software
- Post Office
- The Post Office
- Bounced mail
- Returned mail;
- MAILER-DAEMON
- Mail Delivery Subsystem
Subject:
- hello
- error
- status
- report
- delivery failed
- Message could not be delivered
- Mail System Error - Returned Mail
- Delivery reports about your e-mail
- Returned mail: see transcript for details
- Returned mail: Data format error
Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to
{inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|
huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent
v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file}
|}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{$T {user |technical |}support team.|The $T {support |}team.}
{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|server} was
{not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message {was not|could not be} delivered within $D days:
{{{Mail s|S}erver}|Host} $i is not responding.
The following recipients {did|could} not receive this message:
Please reply to postmaster@{$F|$T}
if you feel this message to be in error.
The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}
Attachment:
It attaches a copy of itself in a .ZIP file. It may use the target email address name as the filename of the attachment, or any of the following:
- readme
- instruction
- transcript
- letter
- attachment
- document
- message
And may have the following extension:
- .cmd
- .bat
- .com
- .exe
- .pif
- .scr
This worm queries from the following search engines to harvest email addresses from the results of the queries:
- http://search.lycos.com
- http://search.yahoo.com
- http://www.altavista.com
- http://www.google.com
It will also harvest email addresses from any active Outlook window on the affected machine.
This worm may also attempts to download a possibly malicious file from a possibly malicious web site.
SOLUTION
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Scan your computer with your Trend Micro product and note files detected as WORM_MYDOOM.GEN
Step 3
Terminate a process file/s detected as WORM_MYDOOM.GEN
*Note: If the detected file/s is/are not displayed in theWindows Task Manager, continue doing the next steps.
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- JavaVM = "%Windows%\java.exe"
- JavaVM = "%Windows%\java.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Services = "%Windows%\services.exe"
- Services = "%Windows%\services.exe"
Step 5
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.
- In HKEY_CURRENT_USER\Software\Microsoft
- Daemon
- Daemon
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
- Daemon
- Daemon
Step 6
Scan your computer with your Trend Micro product to delete files detected as WORM_MYDOOM.GEN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.