W32/MyDoom.M@mm

Download VIRUSfighter NOW
W32/MyDoom.M@mm Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 8/16/2004 • Type: Worm
• Virus characteristics first published: 8/16/2004 • Spreading mechanism: Email
• Virus characteristics latest update: 12/3/2004 • Overall risk: Medium
• Alias: Win32.Mydoom.S [Computer Associates], W32/Mydoom.R@mm [F-secure], W32/Mydoom.s@MM [McAfee], W32/Mydoom.R.worm [Panda], W32/MyDoom-S [Sophos], W32.Mydoom.Q@mm [Symantec], WORM_RATOS.A [Trend Micro] • Payload:
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal

The following is a portion of the instant analysis done by the Norman Sandbox Technology:

 [ General information ]
    * Creating several executable files on hard-drive.
    * File length:        27136 bytes.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\rasor38a.dll.
    * Creates file C:\WINDOWS\SYSTEM\winpsd.exe.
    * Deletes file C:\WINDOWS\SYSTEM\winpsd.exe.
    * Creates file C:\WINDOWS\winvpn32.exe.

 [ Changes to registry ]
    * Reads SMTP Email Address in key "HKCU\Software\Microsoft\Internet Account Manager\Accounts\unreal".
    * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\Version".
    * Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\Version".
    * Creates value "winpsd"="C:\WINDOWS\SYSTEM\winpsd.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Sets value "InstaledFlashhMX"="" in key "HKCU\Software\Microsoft\Internet Explorer".

 [ Network services ]
    * Looks for an Internet connection.
    * Connects to "CONFIGURED_DNS" on port 53 (UDP).
    * Downloads file from [webserver]/ispy.1.jpg as C:\WINDOWS\winvpn32.exe.
    * Connects to POP3 server on port 25 (TCP).
    * **Connects SMTP server.

 [ Network ]
    * **Uses IPHLPAPI services.

 [ Spreading through EMail ]
    * To     : [Harvested addresses]
    * From   : [SMTP address found in registry].
    * Subject: photos.
    * Mass-mailer; spreads through SMTP.

 [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to open C:\WINDOWS\winvpn32.exe .

Write-up by Trygve Brox  

# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter