Win32/Mydoom [Threat Name] go to Threat

Win32/Mydoom.Q [Threat Variant Name]

Category	worm
Size	21008 B
Detection created	Jul 19, 2004
Detection database version	1709

Short description

Win32/Mydoom.Q is a worm that spreads via e-mail and P2P networks. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the %windir% folder using the following name:

lsass.exe

In order to be executed on every system start, the worm sets the following Registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“Traybar” = “%WINDOWS%\lsass.exe”

The following Registry entries are created:

HKCU\Software\Microsoft\Windows\CurrentVersion\POSIX
HKLM\Software\Microsoft\Windows\CurrentVersion\POSIX

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.doc
.htm
.txt

Addresses containing the following strings are avoided:

.gov
.mil
abus
accoun
admi
anyone
arin.
avp
bar.
bug
contact
crosoft
domain
example
feste
foo.
gmail
gnu.
gold-certs
google
gov.
help
hotmail
info
james
john
labs
listserv
master
math
microsoft
msn.
nobody
noone
not
nothing
ntivi
ophos
page
panda
privacycertific
rarsoft
rating
ripe.
root
sales
sample
sarc.
seclist
secur
service
sf.net
site
soft
someone
sourceforge
spam
spersk
submit
suppor
syma
the.bat
update
uslis
winzip
you
your

Subject of the message is one of the following:

say helo to my litl friend
click me baby, one more time
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

Body of the message is one of the following:

The original message was included as attachment Message could not be delivered This Message was undeliverable due to the following reason: Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within {random value} days: Host {hostname of spoofed from address} is not responding. Please reply to postmaster {hostname of spoofed from address} if you feel this message to be in error. The original message was received at {time} from {To address of message} The following recipients did not receive this message: {spoofed from address} ----- The following addresses had permanent fatal errors ----- {to address of message} ----- Transcript of session follows ----- while talking to {hostname of To address}.: >>> MAIL From:{From address of message} <<< 501 {hostname of From address}... Refused The original message was received at {time} from {From address of message} ----- The following addresses had permanent fatal errors -----

The attachment is an executable of the worm.

Its filename may be one of the following:

attachment
document
file
letter
mail
message
readme
text
transcript

The filename has one of the following extensions:

.bat
.cmd
.com
.exe
.pif
.scr
.zip

Spreading via shared folders

The worm searches for various shared folders.

The executables of the worm are copied there using the following names:

index
Kazaa Lite
Harry Potter
ICQ 4 Lite
WinRAR.v.3.2.and.key
Winamp 5.0 (en) Crack
Winamp 5.0 (en)

The filenames have one of the following extensions:

.exe
.com
.scr