Email-Worm.Win32.Mydoom.m

Technical Details

I-Worm.Mydoom.m spreads via the Internet as an attachment to infected messages.


The worm itself is a Windows PE EXE file approximately 27KB in size, packed using UPX. The unpacked file is approximately 50KB in size.


The worm is only activated when a user opens the archive and launches the infected file by double-clicking on it. The worm will then install itself on the system and begin propagating.


The worm contains a backdoor function.


Part of the body of the worm is encrypted.


Installation


When installing, the worm copies itself as 'java.exe' to the Windows root directory, and registers this file in the system registry. This ensures the worm will be launched each time the infected system is booted.


[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  JavaVM = %windir%\java.exe

This ensures the worm will be launched each time the infected system is booted.


The worm also creates a file named 'services.exe.', which is 8192 bytes in size, in the Windows root directory. This file is an additional component, and is also added to the system registry:


[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  Services = %windir%\services.exe

Mailing messages


The worm searches the victim machine for email addresses to harvest, and then sends itself to these addresses by directly connecting to the recipient's SMTP server.


It also harvests addresses by using the following search engines:

Google
Lycos
Altavista
Yahoo

Infected messages


Sender's address: (either chosen from the list below or spoofed):


MAILER-DAEMON
Mail Administrator
Automatic Email Delivery Software
Post Office
The Post Office
Bounced mail
Returned mail
Mail Delivery Subsystem

Message header (chosen at random from the list below):


Message could not be delivered
hello
Hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details  
Returned mail: Data format error  
{{The|Your} m|M}essage could not be delivered  
instruction

Message body (chosen at random from the list below)


The message body will be altered to correspond to the user's details.


Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}


{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during { this|the {last|recent}} week.


{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.


{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.


{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day}, {$T {user |technical |}support team.|The $T {support |}team.}


{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:


Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.


Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.


Your message {was not|could not be} delivered within $D days: {{{Mail s|S}erver}|Host} $i is not responding.


The following recipients {did|could} not receive this message: <$t>


Please reply to postmaster@{$F|$T} if you feel this message to be in error. The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}


----- The following addresses had permanent fatal errors ----- {<$t>|$t}


{----- Transcript of {the ||}session follows ----- ... while talking to {host |{mail |}server ||||}{$T.|$i}: {>>> MAIL F{rom|ROM}:$f <<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>..


. {Mail quota exceeded|Message is too large} 554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5. 0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|} Session aborted{, reason: lost connection|}|>>> RCPT To:<$t> <<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded|}<<< 400}|} The original message was included as attachment {{The|Your} m|M}essage could not be delivered


Attachment name:


The attachment name is generated at random.


Attachment extension (chosen at random from the list below):


cmd
bat
com
pif
scr
doc
exe

The worm may also be sent in the form of a ZIP archive.


Other


The worm opens TCP port 1034 in order to receive remote commands.