Mydoom.AO
Threat LevelDamageDistribution

Effects 

Mydoom.AO carries out the following actions:

• It affects Windows 2003/XP/2000/NT computers only.
• It opens the TCP port 1034 and listens to it, acting as a backdoor.
• It downloads a file called MODULELOG.PNG from the Internet. In fact, this file is not a PNG image, but an executable file belonging to the backdoor Bck/Surila.J.
• It is programmed to close any active windows that belong to the following windows classes:
  IEFrame (Internet Explorer windows).
  rctrl_renwnd.
  ATH_Note.
• It registers itself as a Windows service.
• It creates several execution threads. The second thread is launched after a random delay, and is set to a priority that does not slow the computer, so as to not to raise users' suspicions.

Infection strategy 

Mydoom.AO creates the following files in the Windows directory:

• JAVA.EXE. This file is a copy of the worm.
• SERVICES.EXE.

Mydoom.AO creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  JavaVM = %windir%\ java.exe
  
  HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  Services = %windir%\ Services.exe
  where %windir% is the Windows directory.
  
  If it cannot create these entries, it attempts to create the following ones:
  
  HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  JavaVM = %windir%\ java.exe
  
  HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  Services = %windir%\ Services.exe
  By creating these entries, Mydoom.AO ensures that it is run whenever Windows is started.
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Daemon
  
  If it cannot create this entry, it attempts to create the following:
  
  HKEY_CURRENT_USER\ Software\ Microsoft\ Daemon
  
  Mydoom.AO uses this entry as an infection mark, in order to check if it has already affected the computer.

Means of transmission 

Mydoom.AO spreads via e-mail. It follows the routine below:

• It reaches the computer in an e-mail message with variable characteristics:
  
  Sender:
  Mydoom.AO spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
  Additionally, it could also use any of the following texts as fake sender:
  Automatic Email Delivery Software
  Bounced mail
  Mail Delivery Subsystem
  MAILER-DAEMON
  Post Office
  Returned mail
  The Post Office
  Mail Administrator
  Postmaster
  
  Subject: it can be one of the following:
  <blank>
  delivery failed
  Delivery reports about your e-mail
  error
  hello
  hi
  Mail System Error - Returned Mail
  Message could not be delivered
  report
  Returned mail: Data format error
  Returned mail: see transcript for details
  status
  test
  
  Message: any of the following:
  <blank>
  <random characters>
  The original message was included as attachment.
  It can also be a complex message, which is generated using four possible templates. For further information on these templates, click here.
  Below you may find some examples of the e-mail messages generated using these templates:
  
  Example 1:
  The original message was received at %date and hour% from %domain% %domain IP address%
  ----- The following addresses had permanent fatal errors -----
  %e-mail address%
  
  Example 2:
  Dear user of %domain%,
  
  Your account has been used to send a huge amount of junk email during the last week.
  Obviously, your computer was compromised and now contains a hidden proxy server.
  
  We recommend you to follow our instructions in order to keep your computer safe.
  
  Virtually yours,
  %domain% user support team.
  
  Example 3:
  This message was not delivered due to the following reason:
  Your message could not be delivered because the destination server was
  not reachable within the allowed queue period. The amount of time
  a message is queued before it is returned depends on local configura-
  tion parameters.
  
  Most likely there is a network problem that prevented delivery, but
  it is also possible that the computer is turned off, or does not
  have a mail system running right now.
  
  Your message could not be delivered within 6 days:
  %domain IP address% is not responding.
  
  The following recipients did not receive this message:
  %e-mail address%
  
  Please reply to %e-mail address%
  if you feel this message to be in error.
  
  Example 4:
  Dear user of %domain%
  
  Your account has been used to send a large amount of unsolicited commercial e-mail messages during the last week.
  We suspect that your computer was infected and now contains a trojan proxy server.
  
  We recommend you to follow our instruction in order to keep your computer safe.
  
  Best wishes,
  %domain% user support team.
  
  End of message examples.
  
  
  Attachments: the file name is variable, and has a random extension:
  Possible file names: it can be random, the recipient's e-mail address, the recipient's mail domain or one of the following: ATTACHMENT, DOCUMENT, FILE, INSTRUCTION, LETTER, MAIL, MESSAGE, README, TEXT, TRANSCRIPT.
  Possible extensions: BAT, CMD, COM, EXE, PIF, SCR, ZIP.
  
  If the attached file has a ZIP extension, it could even be compressed twice. Once decompressed, the file has a double extension, which consists of a first fake extension (DOC, HTM, HTML or TXT), multiple blank spaces and a final extension (BAT, CMD, COM, EXE,PIF, SCR).
• The computer is affected when the attached file is run.
• Mydoom.AO searches for e-mail addresses:
  
  - In the first 32 kilobytes of files that have the following extensions: ADB, ASP, DBX, DOC, HTM, HTML, SHT, TBB and TXT.
  
  - In the first 32 kilobytes of files whose extension begin with HT, PH, PL or HT.
  
  - It uses intensive searches on popular web searchers, such as Google, Altavista, Yahoo and Lycos.
  
  

  

  
  Note: On some occasions, e-mail addresses are protected against spam techniques by changing some of their characters to others not easily recognized by automated programs. For example, the address name@domain is changed to name(at)domain, so that the address is protected from web crawlers.
  However, Mydoom.AO is able to surpass some these protections, as it interprets certain commonly used combinations:
  "."
  "(dot)"
  "_dot_"
  “.dot."
  "&nbsp;"
  "&nbsp"
  " at "
  "_at_"
  ".at."
  "(at)"
  "(@)"
  "@@"
  " @"
  "@ "
  " " (a single blank space)
  "  " (two blank spaces)
  

• Mydoom.AO sends itself out to all the addresses it has gathered, using its own SMTP engine.
  In order to do so, it attempts to open an SMTP session and connect to possible mail servers, which it compounds by adding certain prefixes to the mail domain of the recipient.
• However, it does not send itself to the addresses that have the following characteristics:
  
  - The mail domain contains one of the following text strings: arin., avp, bar., domain, example, foo.com, gmail, gnu., google, hotmail, microsoft, msdn., msn., panda, rarsoft, ripe., sarc., seclist, secur, sf.net, sophos, sourceforge, spersk, syma, trend, update, uslis, winrar, winzip, yahoo.
  - The name of the recipient is one of the following: anyone, ca, feste, foo, gold-certs, help, info, me, no, nobody, noone, not, nothing, page, rating, site, soft, someone, the.bat, you, your.
  - The mail account constains any of the following text strings: abuse, accoun, admin, bugs, listserv, mailer-d, master, ntivi, privacycertific, sample, secur, spam, submit, support.

Further Details  

Mydoom.AO is written in the programming language Visual C++. This worm is 25,771 bytes in size, and it is compressed with MEW.

Mydoom.AO creates a mutex in order to ensure that only a copy of the worm is active at any moment. The name of the mutex consists in several repetitions of the computer name and the word root.