Win32/Mydoom [Threat Name] go to Threat

Win32/Mydoom.CN [Threat Variant Name]

Category worm
Size 88064 B
Aliases Email-Worm.Win32.Mydoom.hx (Kaspersky)
  W32.Mydoom.A@mm (Symantec)
  Win32:Lmir-BK (Avast)
Short description

Win32/Mydoom.CN is a worm that spreads via e-mail.

Installation

When executed, the worm creates the following files:

  • %system%\­config\­SERVICES
  • %system%\­config\­SERVICES.LOG
  • %system%\­mstimer.dll (45056 B)
  • %system%\­wversion.exe (32768 B)

The worm registers itself as a system service using the following name:

  • Windows Timer Service

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­mstimer]
    • "Description" = "Maintains date and time synchronization on all clients and server in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
    • "DisplayName" = "Windows Timer Service"
    • "ErrorControl" = 1
    • "ImagePath" = "%SystemRoot%\­system32\­svchost.exe -k mstimer"
    • "ObjectName" = "LocalSystem"
    • "Start" = 2
    • "Type" = 288
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­mstimer\­Enum]
    • "0" = "Root\­LEGACY_MSTIMER\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­mstimer\­Parameters]
    • "ServiceDll" = "%SystemRoot%\­system32\­mstimer.dll"
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .txt
  • .pl
  • .html
  • .htm
  • .sht
  • .jsp
  • .cgi
  • .xml
  • .php
  • .asp
  • .dbx
  • .tbb
  • .adb
  • .wab

The worm gathers e-mail addresses for further spreading by searching in the Windows Address Book (WAB).


Addresses containing the following strings are avoided:

  • root
  • info
  • samples
  • postmaster
  • webmaster
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • me
  • bugs
  • rating
  • site
  • contact
  • soft
  • no
  • somebody
  • privacy
  • service
  • help
  • not
  • submit
  • feste
  • ca
  • gold-certs
  • the.bat
  • page
  • spm
  • spam
  • www
  • secur
  • abuse
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun
  • berkeley
  • unix
  • math
  • bsd
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • avp
  • syma
  • icrosof
  • msn.
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • .gov
  • gov.
  • .mil
  • foo.

Subject of the message is the following:

  • Memory Of...

Body of the message is the following:

  • last

The attachment is a/an RAR archive file containig an executable.


The name of the attached file is following:

  • memory.rar
Other information

The worm tries to download several files from the Internet.


The HTTP protocol is used.


These are stored in the following locations:

  • %system%\­config\­SERVICES
  • %system%\­config\­SERVICES.LOG
  • %temp%\­~AX%random%.tmp

The files are then executed.


The worm modifies the following file:

  • %windir%\­win.ini

The worm may create the following files:

  • ~SDSTY.bat
  • %temp%\­~AX%random%.tmp

Please enable Javascript to ensure correct displaying of this content and refresh this page.