Virus Detail

Description

Back to top

Method of Infection

When run, Mydoom.S makes two copies of itself:

%System%\winpsd.exe
%Windows%\rasor38a.dll

It then sets the following registry entry to ensure that the first copy is executed at each Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winpsd = "%System%\winpsd.exe"

If it is unable to set this value, it attempts to set this value instead:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winpsd = "%System%\winpsd.exe"

Note: '%System%' and '%Windows%' are variable locations. The trojan determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

The worm creates the registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version

It does not store any values in this key. It uses it only as a marker to recognise that it has run previously on the machine.

In order to avoid running multiple copies of itself at the same time, the worm creates a mutex called "43jfds93872".

Back to top

Method of Distribution

Via E-mail

Mydoom.S sends itself in e-mail messages with the following format:

Subject:
photos
Body:
LOL!;))))
Attachment:
photos_arc.exe

The sender address is not spoofed. It is read from one of the following registry values:

HKCU\Software\Microsoft\Internet Account Manager\Accounts\<Account>\SMTP Email Address
HKCU\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts\<Account>\SMTP Email Address

The worm searches files on the local machines for e-mail addresses to send to. It first searches the default Windows Address Book (WAB) file, then the folder containing Temporary Internet Files, then finally all files on all fixed disks. It checks any files with the following extensions:

txt
htm
sht
php
asp
dbx
tbb
adb
pl
wab

It avoids sending to any address whose domain contains one of the following strings:

berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.

Or if the user name contains one of the following:

root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
spm
spam
www
secur
abuse
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
abuse
upport

Back to top

Payload

Downloads and Executes Remote Files

Mydoom.S attempts to download from three different URLs on the domain www.richcolour.com, and one on zenandjuice.com, using HTTP (TCP port 80). If successful, the downloaded file is saved as %Windows%\winvpn32.exe and then executed. Once this has been done, the worm sets the following registry value as a marker so it doesn't attempt to download the file again:

HKCU\SOFTWARE\Microsoft\Internet Explorer\InstaledFlashhMX = 1

At the time the worm was first discovered, the file at these locations was a trojan called Win32.Gavvo.A.

Back to top

For additional information:

If the worm is run after 20 August 2004 21:11:11 (i.e. 9:11 PM and 11 seconds) UTC time, it immediately exits.

Analysis by Hamish O'Dea

Back to top