Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Mydoom.M

 
Threat LevelHigh threat
DamageSevere
DistributionNot widespread

At a glance

Common name:Mydoom.M
Technical name:W32/Mydoom.M.worm
Threat level:Medium
Type:Worm
Effects:  

It installs a dynamic link library that opens TCP port 1042 and acts as a backdoor. It ends processes belonging to antivirus programs and system monitoring tools.

Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:July 19, 2004
Detection updated on:July 20, 2004
StatisticsNo
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 

    

Mydoom.M is a worm that installs a dynamic link library (DLL) that opens TCP port 1042 and listens to it, thus behaving as a backdoor. By doing so, it allows hackers to remotely access the affected computer in order to carry out actions that would compromise users confidentiality or impede normal work.

In addition, the mentioned library will also end any active process containing specific text strings associated to antivirus programs and system monitoring tools. This leaves the affected computer vulnerable to the attack of other malware.

Mydoom.M spreads via e-mail in a message with variable characteristics and through peer-to-peer file sharing programs (P2P).

Visible Symptoms 

    

Mydoom.M is very difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

Tech details

Effects

Mydoom.M has the following effects:

  • It installs a dynamic link library (DLL) that opens TCP port 1042 and listens to it, thus behaving as a backdoor. By doing so, it allows hackers to remotely access the affected computer in order to carry out actions that would compromise users confidentiality or impede normal work.
  • It ends any process containing any of the text strings below:
    avp., avp32, intrena, mcafe, navapw, navw3, norton, reged, taskmg and taskmo.
    These strings are related to antivirus programs and system monitoring tools. By ending these processes, the affected computer is left vulnerable to the attack of other malware.

Infection strategy 

Mydoom.M creates the following files in the Windows directory:

  • LSASS.EXE. This file is a copy of the worm.
  • A text file with a random name and a TXT extension in the Windows temporary directory. Mydoom.M uses this file in order to carry out its actions.

Mydoom.M creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Traybar = %windir%\ lsass.exe

    where %windir% is the Windows directory.
    By creating this entry, Mydoom.M ensures that it is run whenever Windows is started.

    If it is unable to create this entry, it creates the following one:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Traybar = %windir%\ lsass.exe
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ POSIX
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ POSIX
    Mydoom.M creates these entries in order to check if it has already affected the computer.

Means of transmission 

Mydoom.M spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

Mydoom.M follows the routine below:

  • It reaches the computer in an e-mail message with variable characteristics:

    Sender:
    Mydoom.M spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
    It can also add any of the following texts to the spoofed address:
    "Automatic Email Delivery Software"
    "Bounced mail"
    "Mail Delivery Subsystem"
    "MAILER-DAEMON"
    "Post Office"
    "Returned mail"
    "The Post Office"
    "Mail Administrator"
    "Postmaster"
    MAILER-DAEMON
    noreplypostmaster


    Subject: it can be one of the following:
    click me baby, one more time
    delivery failed
    Delivery reports about your e-mail
    error
    hello
    report
    say helo to my litl friend
    status


    Message: it can be blank, an illegible set of characters or any of the following:
    Message 1:
    The original message was received at
  • The computer is affected when the attached file is run.
  • Mydoom.M searches for e-mail addresses in files that have the following extensions: DOC, HTM, HTML and TXT.
  • Mydoom.M sends itself out to all the addresses it has gathered and to all the contacts in the Windows Address Book, using its own SMTP engine.
    In order to do so, it attempts to open an SMTP session and connect to possible mail servers, which it compounds with the mail domain of the recipient.
  • However, it does not send itself to the addresses that have the following characteristics:

    - The mail domain contains one of the following text strings: gov, mil, arin, avp, bar, domain, example, foo, gmail, gnu, google, gov, hotmail, labs, math, mcrosoft, msn., ophos, panda, rarsoft, ripe, sarc, seclist, secure, sf.net, sourceforge, spersk, syma, update, uslis and winzip.
    - The recipient's name is any of the following: root, info, samples, noone, nobody, nothing, anyone, someone, your, you, me, rating, site, contact, soft, no, service, help, not, feste, ca, gold-certs, the.bat, page.
    - The name of the address contain any of the following text strings: admi, crosoft, suppor, ntivi, submit, listserv, bug, secure, priacycertific, accoun, sample, contact, master, abus, spam.

2. Transmission through peer-to-peer file sharing programs (P2P).

Mydoom.M follows the routine below:

  • It creates copies of itself in directories containing any of the following text strings: download, ftproot, incoming, shar. By doing so, it attempts to copy itself in those shared directories of file sharing programs.
  • The copies that Mydoom.M creates have a variable name, which consists in a random file name and extension.
    Possible file names: Harry Potter, ICQ 4 Lite, index, Kazaa Lite, Winamp 5.0 (en), Winamp 5.0 (en) Crack, WinRAR.v.3.2.and.key.
    Possible extensions: SCR, COM, EXE, SHAREREACTOR.COM.
  • Other users of these programs can access the shared directories and download these files to their computers, thinking that they are useful computer programs. However, these users will actually download a copy of the worm.
  • When the downloaded file is run, these computers will be affected by Mydoom.M.

Further Details  

Mydoom.M is around 33 KBytes in size. The DLL installed is 8,776 bytes in size and it is compressed with UPX.

Mydoom.M creates the mutex jmydoat%smtx, in order to prevent two copies of the worm from being run at the same time.

Solution

See solution