Win32/Mydoom [Threat Name] go to Threat

Win32/Mydoom.Q [Threat Variant Name]

Category worm
Size 21008 B
Short description

Win32/Mydoom.Q is a worm that spreads via e-mail and P2P networks. The file is run-time compressed using UPX .


When executed, the worm copies itself into the %windir% folder using the following name:

  • lsass.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • HKLM\­Software\­Microsoft\­Windows\­CurrentVersion\­Run
  • “Traybar” = “%WINDOWS%\­lsass.exe”

The following Registry entries are created:

  • HKCU\­Software\­Microsoft\­Windows\­CurrentVersion\­POSIX
  • HKLM\­Software\­Microsoft\­Windows\­CurrentVersion\­POSIX
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .doc
  • .htm
  • .txt

Addresses containing the following strings are avoided:

  • .gov
  • .mil
  • abus
  • accoun
  • admi
  • anyone
  • arin.
  • avp
  • bar.
  • bug
  • contact
  • crosoft
  • domain
  • example
  • feste
  • foo.
  • gmail
  • gnu.
  • gold-certs
  • google
  • gov.
  • help
  • hotmail
  • info
  • james
  • john
  • labs
  • listserv
  • master
  • math
  • microsoft
  • msn.
  • nobody
  • noone
  • not
  • nothing
  • ntivi
  • ophos
  • page
  • panda
  • privacycertific
  • rarsoft
  • rating
  • ripe.
  • root
  • sales
  • sample
  • sarc.
  • seclist
  • secur
  • service
  • site
  • soft
  • someone
  • sourceforge
  • spam
  • spersk
  • submit
  • suppor
  • syma
  • the.bat
  • update
  • uslis
  • winzip
  • you
  • your

Subject of the message is one of the following:

  • say helo to my litl friend
  • click me baby, one more time
  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error

Body of the message is one of the following:

The original message was included as attachment Message could not be delivered This Message was undeliverable due to the following reason: Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within {random value} days: Host {hostname of spoofed from address} is not responding. Please reply to postmaster {hostname of spoofed from address} if you feel this message to be in error. The original message was received at {time} from {To address of message} The following recipients did not receive this message: {spoofed from address} ----- The following addresses had permanent fatal errors ----- {to address of message} ----- Transcript of session follows ----- while talking to {hostname of To address}.: >>> MAIL From:{From address of message} <<< 501 {hostname of From address}... Refused The original message was received at {time} from {From address of message} ----- The following addresses had permanent fatal errors -----

The attachment is an executable of the worm.

Its filename may be one of the following:

  • attachment
  • document
  • file
  • letter
  • mail
  • message
  • readme
  • text
  • transcript

The filename has one of the following extensions:

  • .bat
  • .cmd
  • .com
  • .exe
  • .pif
  • .scr
  • .zip
Spreading via shared folders

The worm searches for various shared folders.

The executables of the worm are copied there using the following names:

  • index
  • Kazaa Lite
  • Harry Potter
  • ICQ 4 Lite
  • WinRAR.v.3.2.and.key
  • Winamp 5.0 (en) Crack
  • Winamp 5.0 (en)

The filenames have one of the following extensions:

  • .exe
  • .com
  • .scr

Please enable Javascript to ensure correct displaying of this content and refresh this page.