WORM_MYDOOM.GEN

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This worm may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Windows%\java.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following component file(s):

• %Windows%\services.exe - also detected as WORM_MYDOOM.GEN

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
JavaVM = "%Windows%\java.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Services = "%Windows%\services.exe"

Other System Modifications

This worm adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Daemon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Daemon

Propagation

This worm gathers target email addresses from files with the following extensions:

• .doc
• .txt
• .htm
• .html

It avoids sending email messages to addresses containing the following strings:

• mailer-d
• abuse
• master
• sample
• accoun
• privacycertific
• listserv
• submit
• ntivi
• support
• admin
• the.bat
• gold-certs
• feste
• rating
• someone
• anyone
• nothing
• nobody
• noone
• winrar
• winzip
• rarsoft
• sf.net
• sourceforge
• ripe.
• arin.
• google
• gmail
• seclist
• secur
• foo.com
• trend
• update
• uslis
• domain
• example
• sophos
• yahoo
• spersk
• panda
• hotmail
• msdn.
• microsoft
• sarc.

NOTES:

The email message it sends out may have the following characteristics: From:

• postmaster@{target domain}
• MAILER-DAEMON@{target domain}
• noreply@{target domain}

It uses the following display names:

• Postmaster
• Mail Administrator
• Automatic Email Delivery Software
• Post Office
• The Post Office
• Bounced mail
• Returned mail;
• MAILER-DAEMON
• Mail Delivery Subsystem

Subject:

• hello
• error
• status
• report
• delivery failed
• Message could not be delivered
• Mail System Error - Returned Mail
• Delivery reports about your e-mail
• Returned mail: see transcript for details
• Returned mail: Data format error

Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to
{inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|
huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent
v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file}
|}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{$T {user |technical |}support team.|The $T {support |}team.}
{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|server} was
{not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message {was not|could not be} delivered within $D days:
{{{Mail s|S}erver}|Host} $i is not responding.
The following recipients {did|could} not receive this message:
Please reply to postmaster@{$F|$T}
if you feel this message to be in error.
The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}

Attachment:
It attaches a copy of itself in a .ZIP file. It may use the target email address name as the filename of the attachment, or any of the following:

• readme
• instruction
• transcript
• letter
• attachment
• document
• message

And may have the following extension:

• .cmd
• .bat
• .com
• .exe
• .pif
• .scr

This worm queries from the following search engines to harvest email addresses from the results of the queries:

• http://search.lycos.com
• http://search.yahoo.com
• http://www.altavista.com
• http://www.google.com

It will also harvest email addresses from any active Outlook window on the affected machine.

This worm may also attempts to download a possibly malicious file from a possibly malicious web site.