Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Mydoom.M
[Summary] | [Disinfection] | [Detailed Description]

Name : Mydoom.M
Alias:W32/Mydoom.M@mm, Mydoom.N, I-Worm.Mydoom.M, W32/Mydoom.L, W32/Mydoom.o@MM, I-Worm.Mydoom.R
Type:Worm
Category:Malware
Platform:Win32
Radar Alert
Radar Level 2
Level 2

Summary
Mydoom.M is a mass-mailing worm that sends emails with messages that looks like mail system errors and automated spam warnings. To collect more addresses, Mydoom.M also uses web search engines like Google and Yahoo.The worm carries a backdoor that listens on port 1034/TCP. This backdoor and the Zindos worm carried out a Distributed Denial-of-Service (DDOS) attack against www.microsoft.com. More information on the Zindos worm has been posted to http://www.f-secure.com/v-descs/zindos.shtml
Back to the Top

Disinfection

F-Secure has developed a special disinfection tool for this worm. The tool will detect and remove an active Mydoom.M infection from the computer.

The Mydoom removal tool can be downloaded in a ZIP file from:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.zip

http://www.f-secure.com/tools/f-mydoom.zip

The unpacked version is available from:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.exe

http://www.f-secure.com/tools/f-mydoom.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.txt

http://www.f-secure.com/tools/f-mydoom.txt

The JAR version is located at:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.jar

http://www.f-secure.com/tools/f-mydoom.jar
Back to the Top

Detailed Description
Mydoom.M arrives in email as a packed executable. The worm is packed with the UPX packer and adds random trailing junk to itself to evade easy detection.

System Infection

When the worm's file is run, it copies itself as java.exe to Windows System folder and creates a startup key for this file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"JavaVM" = "%WindowsDir%\ java.exe"

The backdoor component is dropped to the Windows folder as services.exe and added to the registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"services" = "%WindowsDir%\services.exe"

%WindowsDir% represents the Windows folder name, for example C:\Windows on Windows XP systems.

Email Propagation

Mydoom.M collects email addresses from Windows Address Book (WAB), Temporary Internet Files and by scanning the hard drive. To collect even more addresses Mydoom.M uses Google, Yahoo, Lycos and Altavista search engines. Utilizing these engines the worm performs a query for
the domains of addresses it already found in other places (eg.Address Book).

The infected e-mails Mydoom.M sends most often look like mail system error and other warning messages.

Mydoom.M uses the following text strings as subjects for infected e-mails that it sends:

  • Returned mail: Data format error
  • Returned mail: see transcript for details
  • Delivery reports about your e-mail
  • Mail System Error - Returned Mail
  • Message could not be delivered
  • delivery failed
  • report
  • test
  • status
  • error
  • hi
  • hello

The text body of emails are created from templates with randomly changing parts. For example:

Dear user yyy@XXX,

Your account was used to send a large amount of junk email during the
last week.Most likely your computer had been infected by a recent virus and now
contains a hidden proxy server.

Please follow instructions in order to keep your computer safe.

Best wishes,
XXX user support team.

Other messages may look like this:



Attachments will get one of the following names with CMD, BAT, COM, EXE, PIF or SCR extension:

  • message
  • document
  • attachment
  • text
  • file
  • letter
  • mail
  • transcript
  • instruction
  • readme

In some cases, when the worm targets specific domains, it sends a ZIP attachment that contains an executable file with the following name structure:
.{doc|txt|htm|html}.{com|exe|scr|pif}

The worm ignores e-mail addresses that contains any of the following domains and accounts:

  • avp
  • syma
  • sarc.
  • microsoft
  • msdn.
  • msn.
  • hotmail
  • panda
  • spersk
  • yahoo
  • sophos
  • example
  • domain
  • uslis
  • update
  • trend
  • foo.com
  • bar.
  • secur
  • seclist
  • gmail
  • gnu.
  • google
  • arin.
  • ripe.
  • sourceforge
  • sf.net
  • rarsoft
  • winzip
  • winrar
  • root
  • info
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • me
  • rating
  • site
  • soft
  • no
  • foo
  • help
  • not
  • feste
  • ca
  • gold-certs
  • the.bat
  • page
  • root
  • info
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • me
  • rating
  • site
  • soft
  • no
  • foo
  • help
  • not
  • feste
  • ca
  • gold-certs
  • the.bat
  • page

Backdoor

As confirmed with the discovery of the Zindos worm, the backdoor component is used a first stage of the Mydoom.M + Zindos attack.

Mydoom.M drops a backdoor component that listens on port 1034/TCP. Connecting to the port, the attacker can upload and execute arbitrary files and get the list of infected computers.

The backdoor scans random IP addresses for open 1034/TCP and collects them to a list for retrieval later.
Back to the Top



F-Secure Corporation

Last Modified: January 01, 2006