Win32/Mydoom [Threat Name] go to Threat

Win32/Mydoom.R [Threat Variant Name]

Category worm
Detection created Jul 26, 2004
Detection database version 822
Short description

Win32/Mydoom.R is a worm that spreads via e-mail. The file is run-time compressed using UPX .


Installation

When executed, the worm copies itself into the %windir% folder using the following name:

  • java.exe

The following file is dropped in the same folder:

  • services.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACCHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "JavaVM" = "%windir%\­java.exe"
    • "Services" = "%windir%\­services.exe"
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • adb
  • asp
  • dbx
  • ht*
  • ph*
  • pl*
  • sht
  • tbb
  • tx*
  • wab

The also searches for addresses using Google, Yahoo, Lycos, Altavista .


The worm contains a long list of strings.


Addresses containing some of them are avoided.


Subject of the message is one of the following:

  • Delivery reports about your e-mail
  • Mail System Error - Returned Mail
  • Message could not be delivered
  • Returned mail: Data format error
  • Returned mail: see transcript for details
  • delivery failed
  • error
  • hello
  • report
  • status
  • test

Win32/Mydoom.R can produce many different kinds of e-mail messages.


Some examples follow.


Example 1 :

Dear user of , Mail server admistration of  would like to inform you that: We have reveived reports that your e-mail account was used to send a huge amount of junk e-mail during the recent week. Most likely, your computer was infected by a recent virus and now runs a hidden proxy server. We recommend you to follow the instructions in the attached file in order to keep your computer safe. Best wishes  technical support team. Message 2:

Example 2 :

This message was not delivered due to the following reason: Your message was not delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message could not be delivered within  days: Mail server  is not responding. The followind recipients did not receive this message: Please reply to postmaster@ if you feel this message to be in error.

Example 3 :

The original message was received at 

The attachment is either an executable of the worm, or a ZIP archive containing it.


Its filename is one of the following:

  • attachment
  • document
  • file
  • instruction
  • letter
  • mail
  • message
  • readme
  • text
  • transcript

The filename has one of the following extensions:

  • bat
  • cmd
  • com
  • exe
  • pif
  • scr

Please enable Javascript to ensure correct displaying of this content and refresh this page.