Tech details

Infection strategy 

Mydoom.M creates the following files in the Windows directory:

• LSASS.EXE. This file is a copy of the worm.
• A text file with a random name and a TXT extension in the Windows temporary directory. Mydoom.M uses this file in order to carry out its actions.

Mydoom.M creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  Traybar = %windir%\ lsass.exe
  where %windir% is the Windows directory.
  By creating this entry, Mydoom.M ensures that it is run whenever Windows is started.
  
  If it is unable to create this entry, it creates the following one:
  HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  Traybar = %windir%\ lsass.exe
• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ POSIX
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ POSIX
  Mydoom.M creates these entries in order to check if it has already affected the computer.

Means of transmission 

Mydoom.M spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

Mydoom.M follows the routine below:

• It reaches the computer in an e-mail message with variable characteristics:
  
  Sender:
  Mydoom.M spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
  It can also add any of the following texts to the spoofed address:
  "Automatic Email Delivery Software"
  "Bounced mail"
  "Mail Delivery Subsystem"
  "MAILER-DAEMON"
  "Post Office"
  "Returned mail"
  "The Post Office"
  "Mail Administrator"
  "Postmaster"
  MAILER-DAEMON
  noreplypostmaster
  
  Subject: it can be one of the following:
  click me baby, one more time
  delivery failed
  Delivery reports about your e-mail
  error
  hello
  report
  say helo to my litl friend
  status
  
  Message: it can be blank, an illegible set of characters or any of the following:
  Message 1:
  The original message was received at
  from []
  
  ----- The following addresses had permanent fatal errors -----
  
  
  Message 2:
  The original message was received at
  from []
  
  ----- The following addresses had permanent fatal errors -----
  
  
  ----- Transcript of session follows -----
  while talking to .:
  >>> MAIL From:
  <<< 501 ... Refused
  
  Message 3:
  This Message was undeliverable due to the following reason:
  
  Your message was not delivered because the destination computer was
  not reachable within the allowed queue period. The amount of time
  a message is queued before it is returned depends on local configura-
  tion parameters.
  
  Most likely there is a network problem that prevented delivery, but
  it is also possible that the computer is turned off, or does not
  have a mail system running right now.
  
  Your message was not delivered within 7 days:
  Host is not responding.
  
  The following recipients did not receive this message:
  
  
  Please reply to
  if you feel this message to be in error.
  
  Message 4:
  Message could not be delivered
  
  Message 5:
  The original message was included as attachment
  
  Attachments: the file name is variable, and has a random extension:
  Possible file names: it can be a random file name, or one of the following: ATTACHMENT, DOCUMENT, FILE, LETTER, MAIL, MESSAGE, README, TEXT, TRANSCRIPT.
  Possible extensions: BAT, CMD, COM, EXE, PIF, SCR, ZIP.
• The computer is affected when the attached file is run.
• Mydoom.M searches for e-mail addresses in files that have the following extensions: DOC, HTM, HTML and TXT.
• Mydoom.M sends itself out to all the addresses it has gathered and to all the contacts in the Windows Address Book, using its own SMTP engine.
  In order to do so, it attempts to open an SMTP session and connect to possible mail servers, which it compounds with the mail domain of the recipient.
• However, it does not send itself to the addresses that have the following characteristics:
  
  - The mail domain contains one of the following text strings: gov, mil, arin, avp, bar, domain, example, foo, gmail, gnu, google, gov, hotmail, labs, math, mcrosoft, msn., ophos, panda, rarsoft, ripe, sarc, seclist, secure, sf.net, sourceforge, spersk, syma, update, uslis and winzip.
  - The recipient's name is any of the following: root, info, samples, noone, nobody, nothing, anyone, someone, your, you, me, rating, site, contact, soft, no, service, help, not, feste, ca, gold-certs, the.bat, page.
  - The name of the address contain any of the following text strings: admi, crosoft, suppor, ntivi, submit, listserv, bug, secure, priacycertific, accoun, sample, contact, master, abus, spam.

2. Transmission through peer-to-peer file sharing programs (P2P).

Mydoom.M follows the routine below:

• It creates copies of itself in directories containing any of the following text strings: download, ftproot, incoming, shar. By doing so, it attempts to copy itself in those shared directories of file sharing programs.
• The copies that Mydoom.M creates have a variable name, which consists in a random file name and extension.
  Possible file names: Harry Potter, ICQ 4 Lite, index, Kazaa Lite, Winamp 5.0 (en), Winamp 5.0 (en) Crack, WinRAR.v.3.2.and.key.
  Possible extensions: SCR, COM, EXE, SHAREREACTOR.COM.

• Other users of these programs can access the shared directories and download these files to their computers, thinking that they are useful computer programs. However, these users will actually download a copy of the worm.
• When the downloaded file is run, these computers will be affected by Mydoom.M.

Further Details  

Mydoom.M is around 33 KBytes in size. The DLL installed is 8,776 bytes in size and it is compressed with UPX.

Mydoom.M creates the mutex jmydoat%smtx, in order to prevent two copies of the worm from being run at the same time.