Win32/Mydoom [Threat Name] go to Threat
Win32/Mydoom.Q [Threat Variant Name]
Category | worm |
Size | 21008 B |
Short description
Win32/Mydoom.Q is a worm that spreads via e-mail and P2P networks. The file is run-time compressed using UPX .
Installation
When executed, the worm copies itself into the %windir% folder using the following name:
- lsass.exe
In order to be executed on every system start, the worm sets the following Registry entries:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- “Traybar” = “%WINDOWS%\lsass.exe”
The following Registry entries are created:
- HKCU\Software\Microsoft\Windows\CurrentVersion\POSIX
- HKLM\Software\Microsoft\Windows\CurrentVersion\POSIX
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
- .doc
- .htm
- .txt
Addresses containing the following strings are avoided:
- .gov
- .mil
- abus
- accoun
- admi
- anyone
- arin.
- avp
- bar.
- bug
- contact
- crosoft
- domain
- example
- feste
- foo.
- gmail
- gnu.
- gold-certs
- gov.
- help
- hotmail
- info
- james
- john
- labs
- listserv
- master
- math
- microsoft
- msn.
- nobody
- noone
- not
- nothing
- ntivi
- ophos
- page
- panda
- privacycertific
- rarsoft
- rating
- ripe.
- root
- sales
- sample
- sarc.
- seclist
- secur
- service
- sf.net
- site
- soft
- someone
- sourceforge
- spam
- spersk
- submit
- suppor
- syma
- the.bat
- update
- uslis
- winzip
- you
- your
Subject of the message is one of the following:
- say helo to my litl friend
- click me baby, one more time
- hello
- hi
- error
- status
- test
- report
- delivery failed
- Message could not be delivered
- Mail System Error - Returned Mail
- Delivery reports about your e-mail
- Returned mail: see transcript for details
- Returned mail: Data format error
Body of the message is one of the following:
The attachment is an executable of the worm.
Its filename may be one of the following:
- attachment
- document
- file
- letter
- message
- readme
- text
- transcript
The filename has one of the following extensions:
- .bat
- .cmd
- .com
- .exe
- .pif
- .scr
- .zip
Spreading via shared folders
The worm searches for various shared folders.
The executables of the worm are copied there using the following names:
- index
- Kazaa Lite
- Harry Potter
- ICQ 4 Lite
- WinRAR.v.3.2.and.key
- Winamp 5.0 (en) Crack
- Winamp 5.0 (en)
The filenames have one of the following extensions:
- .exe
- .com
- .scr