Virus Detail

Win32.Mydoom.N

Date Published:
19 Jul 2004

Last Updated:
13 Jun 2006

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: Medium

Pervasiveness: High

Characteristics

Type : Worm

Category : Win32

Also known as: I-Worm.Mydoom.l (Kaspersky), ZIP.Mydoom.N, Win32Mydoom.N!ZIP, Win32/MyDoom.N.Worm , W32/Mydoom.n@MM (McAfee)

Immediate Protection Info

Signature	Product	Removal Instructions
23.65.78	eTrust Antivirus v7/8* (InoculateIT Engine)	View
11.x/8458	eTrust Antivirus v7/8* (Vet Engine)	View
6.1x/5607	eTrust EZ Antivirus 6.1x	View
6.2x/8458	eTrust EZ Antivirus 6.2x	View
47.78	Inoculan/InoculateIT 4.x	View
10.5x/5607	Vet Anti-Virus 10.5x	View
10.6x/8458	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Method of Distribution

Payload

Description

Win32.Mydoom.N is a worm that spreads via e-mail and file sharing.

Method of Infection

When executed, Mydoom.N copies itself to %Windows%\lsass.exe

It then sets the following registry entry to ensure that this copy is executed at each Windows start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Traybar = "%Windows%\lsass.exe"

Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

It also creates a mutex, whose name is generated using the name of the local machine. It uses this to ensure only one copy of the worm runs at a time.

Method of Distribution

Via E-mail

The worm searches all fixed drives for e-mail addresses in files with these extensions:
.adb*
.asp*
.dbx*
.ht*
.ph*
.pl*
.sht*
.tbb*
.tx*
.wab*

It ignores any address if the user name is one of these:

anyone
ca
contact
feste
gold-certs
help
info
me
no
nobody
noone
not
nothing
page
rating
root
service
site
soft
someone
the.bat
you
your

or if the user name contains one of these sub-strings:

abus
accoun
admi
bug
crosoft
listserv
master
ntivi
privacycertific
sample
spam
submit
suppor

or if the domain contains one of the following sub-strings:

.gov
.mil
arin.
avp
bar.
domain
example
foo.
gmail
gnu.
google
gov.
hotmail
labs
math
microsoft
msn.
ophos
panda
rarsoft
ripe.
sarc.
seclist
secur
sf.net
sourceforge
spersk
syma
update
uslis
winzip

The worm arrives attached to an e-mail with a variable Subject and Message Body. The attachment also uses variable names and file extensions.

The from address may be spoofed, using one of the following names:

"Postmaster"
"Mail Administrator"
"Automatic Email Delivery Software"
"Post Office"
"The Post Office"
"Bounced mail"
"Returned mail"
"MAILER-DAEMON"
"Mail Delivery Subsystem"

followed by one of these addresses:

noreply@(domain)
MAILER-DAEMON@(domain)
postmaster@(domain)

where (domain) is the domain of the recipient. For example:

"Automatic Email Delivery Software" <postmaster@test.com>

The Subject line may be randomly generated, or one of the following:

say helo to my litl friend
click me baby, one more time
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

The message body may be randomly generated or one of the following:

The original message was received at (time)
from (recipient domain) [(random IP address)]

----- The following addresses had permanent fatal errors -----
<(recipient address)>

----------

The original message was received at (time)
from (recipient domain) [(random IP address)]

----- The following addresses had permanent fatal errors -----
<(recipient address)>

----- Transcript of session follows -----
while talking to (recipient address).:
>>> MAIL From:(recipient domain)
<<<501 (recipient domain)... Refused

----------

This Message was undeliverable due to the following reason:

Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message was not delivered within (random number) days:
Host (random IP address) is not responding.

The following recipients did not receive this message:
<(recipient address)>

Please reply to postmaster@(recipient domain)
if you feel this message to be in error.

----------

Message could not be delivered

----------

The original message was included as attachment

----------

The Attachment file name may be randomly generated, or one of the following:

readme
transcript
mail
letter
file
text
attachment
document
message
(blank)

with one of these extensions:

scr
exe
com
pif
bat
cmd

The attachment name may also be the e-mail address of the recipient.

The attachment could also be in a ZIP archive, and can have a "double extension", with "doc", "txt", "htm" or "html" followed by many spaces, then the real extension.

Please see below for samples of e-mail generated by the worm:

Via File sharing

Mydoom.N attempts to make itself available through various file sharing methods by copying itself with enticing names into any directories whose names contain one of these strings:

shar
download
ftproot
incoming

It copies itself using file names generated by combining one of these:

Winamp 5.0 (en)
Winamp 5.0 (en) Crack
WinRAR.v.3.2.and.key
ICQ 4 Lite
Harry Potter
Kazaa Lite
index

followed by one of these:

.scr
.ShareReactor.com
.com
.exe