Home / malware Win32.Mydoom.U@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Mydoom.U@mm is also known as I-Worm.MyDoom.gen, |, Win32.HLLM.MyDoom.based.
Explanation :
It arrives by e-mail in the following format:
From: spoofed, may usually appear as from @msn.com, @yahoo.com, @hotmail.com
Subject: (one of the following lines)
RE:my .....
RE:test
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Msg
Information
Body: (one of the following lines)
This is a multi-part message in MIME format.
Mail transaction failed. Partial message is available.
sorry we can't send the mail try later , check the attachment for more information.
error , sorry we can't send the email so check the attachment.
hello check the attachment thx.
hello.
!!!!!!!!!!!, check the attachment!!!.
Try Later, Check the Attachment.
failed to send the email!, check the attachment for more information.
check.
check the attachment to get the lastest news.
come back my friend.
loooooool ;)))
hello :)
failed,check the attachment for more information.
error, check the attachment for more information.
error to send the mail!!!!!.
you can check the attachment for more information.
(Norton ANti Virus,Panda,Mcafee No Virusses Found).
the attachment for more information.
here is what you need,thx.
your attachment , thx.
Check the attachment for more information!.
(Norton Anti Virus : No Virusses Found , Check The Attachment For More Information.
test
Attachment:
filename may be:
body
message
test
data
file
text
doc
readme
document
extension may be:
bat, cmd, exe, scr, pif or zip
Once the virus is run, it does the following:
1. Creates mutex "EnD-Of-SkyNet" in order to have only one presence in memory.
2. Creates a new thread that creates in TEMP folder a file named Message (approx 4 KBytes) containing binary junk, and opens it in Notepad. When Notepad is closed, the thread is closed and the file Message is deleted
3. Creates in %SYSTEM% the file Nemog.dll and registers it to [HKEY_CLASSES_ROOTCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
4. Creates a copy of the virus in %SYSTEM% folder as tasker.exe
5. Creates the registry key
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"Task"="%SYSTEM% asker.exe"]
so that the virus will be run at startup
6. Checks if the computer is connected to the internet by checking www.microsoft.com aproximatively each half minute
7. Retrieves Kazaa download folder, and creates there copies of the virus constructing filename from:
XXX Pictures, XXX Videos, xbox emulator, ps2 emulator, Hotmail hacker, yahoo hacker, klez, SoBig, mydoom, netsky, Vahos, Upload, crack, Winzip, kazz, Wenrar, mirc, cleaner, SeX, Vaho, Fixtool
and extensions:
bat, pif, scr, exe
8. Starts harvesting for e-mail addresses in files matching:
wab, pl, adb, tbb, dbx, asp, php, sht, htm
and also in default WAB file
9. Uses it's own SMTP engine to send itself, using the previously described format, but avoids sending to e-mail addresses containing:
syma, icrosof, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo.
unix, math, bsd, mit.e, gnu, fsf., ibm.com, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, acketst, pgp, tanford.e, utgers.ed, mozilla
root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page
icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, google, accoun
avp, abuse, secur, spam, www, spm
10. Has backdoor capabilities: Nemog.dll opens port 5422 and listens for commands
11. May open a http proxy on port 80Last update 21 November 2011
