Analysis by: Sabrina Lei Sioting
 Modified by: Michael Cabel

ALIASES:

Worm:Win32/Mydoom.O@mm (Microsoft), Email-Worm.Win32.Mydoom.m (Kaspersky), W32.Mydoom.M@mm (Symantec), W32/Mydoom.o@MM (McAfee), Email-Worm:W32/Mydoom.gen!A (Fsecure), W32/Mydoom.M!dam (Fortinet), W32/Mydoom.O@mm (Fprot), Email-Worm.Win32.Mydoom (Ikarus), Win32/Mydoom.R worm (Eset), W32/Mydoom.N.worm (Panda),

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via network shares, Downloaded from the Internet, Dropped by other malware

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 28,864 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 04 May 2009
Payload: Drops files

Arrival Details

This worm may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %Windows%\java.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following component file(s):

  • %Windows%\services.exe - also detected as WORM_MYDOOM.GEN

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
JavaVM = "%Windows%\java.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Services = "%Windows%\services.exe"

Other System Modifications

This worm adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Daemon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Daemon

Propagation

This worm gathers target email addresses from files with the following extensions:

  • .doc
  • .txt
  • .htm
  • .html

It avoids sending email messages to addresses containing the following strings:

  • mailer-d
  • abuse
  • master
  • sample
  • accoun
  • privacycertific
  • listserv
  • submit
  • ntivi
  • support
  • admin
  • the.bat
  • gold-certs
  • feste
  • rating
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • winrar
  • winzip
  • rarsoft
  • sf.net
  • sourceforge
  • ripe.
  • arin.
  • google
  • gmail
  • seclist
  • secur
  • foo.com
  • trend
  • update
  • uslis
  • domain
  • example
  • sophos
  • yahoo
  • spersk
  • panda
  • hotmail
  • msdn.
  • microsoft
  • sarc.

NOTES:

The email message it sends out may have the following characteristics: From:

  • postmaster@{target domain}
  • MAILER-DAEMON@{target domain}
  • noreply@{target domain}

It uses the following display names:

  • Postmaster
  • Mail Administrator
  • Automatic Email Delivery Software
  • Post Office
  • The Post Office
  • Bounced mail
  • Returned mail;
  • MAILER-DAEMON
  • Mail Delivery Subsystem

Subject:

  • hello
  • error
  • status
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error
Body:

Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to
{inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|
huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent
v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file}
|}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{$T {user |technical |}support team.|The $T {support |}team.}
{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|server} was
{not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message {was not|could not be} delivered within $D days:
{{{Mail s|S}erver}|Host} $i is not responding.
The following recipients {did|could} not receive this message:
Please reply to postmaster@{$F|$T}
if you feel this message to be in error.
The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}

Attachment:
It attaches a copy of itself in a .ZIP file. It may use the target email address name as the filename of the attachment, or any of the following:

  • readme
  • instruction
  • transcript
  • letter
  • attachment
  • document
  • message

And may have the following extension:

  • .cmd
  • .bat
  • .com
  • .exe
  • .pif
  • .scr

This worm queries from the following search engines to harvest email addresses from the results of the queries:

  • http://search.lycos.com
  • http://search.yahoo.com
  • http://www.altavista.com
  • http://www.google.com

It will also harvest email addresses from any active Outlook window on the affected machine.

This worm may also attempts to download a possibly malicious file from a possibly malicious web site.

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 6.106.04
FIRST VSAPI PATTERN DATE: 04 May 2009
VSAPI OPR PATTERN File: 6.107.00
VSAPI OPR PATTERN Date: 05 May 2009

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product and note files detected as WORM_MYDOOM.GEN

Step 3

Terminate a process file/s detected as WORM_MYDOOM.GEN

[ Learn More ]

*Note: If the detected file/s is/are not displayed in theWindows Task Manager, continue doing the next steps.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • JavaVM = "%Windows%\java.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Services = "%Windows%\services.exe"

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_CURRENT_USER\Software\Microsoft
    • Daemon
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
    • Daemon

Step 6

Scan your computer with your Trend Micro product to delete files detected as WORM_MYDOOM.GEN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.