Virus Detail

Win32.Mydoom.A

Date Published:
26 Jan 2004

Last Updated:
12 Apr 2004

Threat Assessment

Overall Risk: Critical

Wild: High

Destructiveness: High

Pervasiveness: High

Characteristics

Type : Worm

Category : Win32

Also known as: ZIP.Mydoom.A , W32/Mydoom@MM (McAfee) , W32.Novarg.A@mm (Symantec) , Win32/Shimg.Worm , Win32/Shimg.zip.Worm

Immediate Protection Info

Signature	Product	Removal Instructions
23.63.79	eTrust Antivirus v7/8* (InoculateIT Engine)	View
6.x/5180	eTrust EZ Antivirus 6.1x	View
23.63.79	eTrust InoculateIT 6.0 eTrust Antivirus 6.0	View
45.79	Inoculan/InoculateIT 4.x	View
11.2x/8111	Vet 11.2x	View
10.5x/5180	Vet Anti-Virus 10.5x	View
10.6x/8111	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Cleaning Utility Available: To download clnmydoom.zip - a utility that cleans a local machine affected by Win32.Mydoom.A and its variants, please click here.

This utility may be especially useful for those who either do not use CA Antivirus solutions, or who may be using products based on older technology that does not support system cleaning. Please view the Removal Instructions for your CA Antivirus Solution (below) to ascertain whether you require the cleaning utility.

Warning: Before running ClnMydoom.com, please ensure that you carefully review the ReadMe.txt instruction file that accompanies this utility.

--------------------

Win32.Mydoom.A is a worm spreading via e-mail and the Kazaa P2P file sharing network. The worm has been distributed as 22,528-byte, UPX-packed Win32 executable and may be included in a ZIP archive.

Method of Distribution

Via E-mail

The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension. The From address is 'spoofed'.

The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:

Error
hello
HELLO
hi
Hi
Mail Delivery System
Mail Transaction Failed
Server Report
Status

The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. An example of a Message Body used by the worm:

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:

Data
Readme
Message
Body
Text
file
doc
document

Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.

When performing its mass-mailing routine, the worm finds destination e-mail addresses by searching files with the following extensions:

adb
asp
dbx
htm
php
sht
tbb
txt
wab

The worm is coded to stop spreading on February 12, 2004 (it will stop send e-mails and spreading through KaZaA). However, even if the worm is executed after this date, it will still drop shimgapi.dll and activate the backdoor.

Via P2P File Sharing

The worm spreads through the KaZaA P2P file sharing network. It copies itself to the transfer folder using the following names:

nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5

Possible extensions are:

bat
exe
pif
scr

Method of Installation

When executed, the worm copies itself to the %System% directory as taskmon.exe and modifies the registry in order to run at the next system re-start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon = "%System%\taskmon.exe"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

The worm also creates a file called SHIMGAPI.DLL in the %System% directory. The dropped DLL registers itself in the registry:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\[Default] = "%System%\shimgapi.dll"

When executed, the worm creates the mutex "SwebSipcSmtxS0" in order to make sure only one copy of the worm runs at a time.

When the worm is executed for the first time it creates the file "Message" in the user Temp folder and displays it using Notepad:

The worm also creates two registry keys, which it uses to recognise that it has previously been run on the current machine:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version

Payload

Backdoor Functionality

Win32.Mydoom listens on TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199). It acts as a SOCKS proxy, and can be used to redirect network traffic through the affected system. In addition, it supports a backdoor command that allows other programs to be uploaded and executed on the compromised system.

Denial of Service

The worm attempts to perform a Denial of Service attack against www.sco.com. The attack is timed to be performed between the 1st and 12th of February, 2004.