Worm.Win32.MYDOOM.AG

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It gathers target email addresses from the Windows Address Book (WAB).

Arrival Details

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Worm drops the following copies of itself into the affected system:

• %Windows%\java.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It drops the following files:

• %Windows%\services.exe → detected as BKDR_MYDOOM.MUS
• %User Temp%\zincite.log
• %User Temp%\{Random}.log → either a zip file used as email attachment, or copy of itself.

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run → autostart mechanism for the main executable
JavaVM = %Windows%\java.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run → autostart mechanism for dropped component file
Services = %Windows%\services.exe

Other System Modifications

This Worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Daemon

HKEY_CURRENT_USER\Software\Microsoft\
Daemon

Propagation

This Worm gathers target email addresses from files with the following extensions:

• .pl
• .asp
• .sht
• .adb
• .dbx
• .wab
• .ph
• .tx
• .ht

It gathers target email addresses from the Windows Address Book (WAB).

It avoids sending email messages to addresses containing the following strings:

• mailer-d
• spam
• abuse
• master
• sample
• accoun
• privacycertific
• bugs
• listserv
• submit
• ntivi
• support
• admin
• page
• the.bat
• gold-certs
• feste
• not
• help
• foo
• soft
• site
• rating
• you
• your
• someone
• anyone
• nothing
• nobody
• noone
• info
• winrar
• winzip
• rarsoft
• sf.net
• sourceforge
• ripe.
• arin.
• google
• gnu.
• gmail
• seclist
• secur
• bar.
• foo.com
• trend
• update
• uslis
• domain
• example
• sophos
• yahoo
• spersk
• panda
• hotmail
• msn.
• msdn.
• microsoft
• sarc.
• syma
• avp

Information Theft

This Worm gathers the following data:

• Host Name

Other Details

This Worm does the following:

• The email message it sends out may have the following characteristics:
  • From:
  • postmaster@{target domain}
  • MAILER-DAEMON@{target domain}
  • noreply@{target domain}
  • It uses the following display names:
  • Postmaster
  • Mail Administrator
  • Automatic Email Delivery Software
  • Post Office
  • The Post Office
  • Bounced mail
  • Returned mail
  • MAILER-DAEMON
  • Mail Delivery Subsystem
  • Subject:
  • hello
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error
  • Body:

  Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
  {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
  {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
  {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
  {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
  {$T {user |technical |}support team.|The $T {support |}team.}
  
  {The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
  Your message {was not|could not be} delivered because the destination {computer|server} was
  {not |un}reachable within the allowed queue period. The amount of time
  a message is queued before it is returned depends on local configura-
  tion parameters.
  Most likely there is a network problem that prevented delivery, but
  it is also possible that the computer is turned off, or does not
  have a mail system running right now.
  
  Your message {was not|could not be} delivered within $D days:
  {{{Mail s|S}erver}|Host} $i is not responding.
  The following recipients {did|could} not receive this message:
  <$t>
  Please reply to postmaster@{$F|$T}
  if you feel this message to be in error.
  The original message was received at $w{
  | }from {$F [$i]|{$i|[$i]}}
  ----- The following addresses had permanent fatal errors -----
  {<$t>|$t}
  {----- Transcript of {the ||}session follows -----
  ... while talking to {host |{mail |}server ||||}{$T.|$i}:
  {>>> MAIL F{rom|ROM}:$f
  <<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>... {Mail quota exceeded|Message is too large}
  554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|}
  Session aborted{, reason: lost connection|}|>>> RCPT To:<$t>
  <<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA
  {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
  |}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed
  |}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
  |}<<< 400}|}
  The original message was included as attachment
  
  {{The|Your} m|M}essage could not be delivered

• It attaches a copy of itself in a .ZIP file. It may use the target email address name as the filename of the attachment, or any of the following:
  • readme
  • instruction
  • transcript
  • mail
  • letter
  • file
  • text
  • attachment
  • document
  • message
• The copy of itself in the attachment may have the following extension:
  • .cmd
  • .bat
  • .com
  • .exe
  • .pif
  • .scr
• The copy of itself in the attachment may have the following fake extension:
  • .doc
  • .txt
  • .htm
  • .html
• It connects to the following URL/search engines to harvest email addresses from the results of the queries:
  • http://{BLOCKED}h.lycos.com/default.asp?{BLOCKED}loc=searchhp&tab=web&query=%s
  • http://www.{BLOCKED}sta.com/web/results?q={BLOCKED}0&kls=0
  • http://{BLOCKED}h.yahoo.com/search?p=%s&ei=UTF-8&fr=fp{BLOCKED}b-t&cop=mss&tab=
  • http://www.{BLOCKED}e.com/search?{BLOCKED}e=UTF-8&oe=UTF-8&q=%s