McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Mydoom.gen@MM

This page shows details and results of our analysis on the malware W32/Mydoom.gen@MM

Threat Detail

Malware Type: Virus

Malware Sub-type: Email Generic

Discovery Date: 2005-04-01

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4327 (2004-02-23)

Updated DAT

6193 (2010-12-10)

 Minimum Engine

5.2.00

File Length

varies

 Description Added

2004-04-26

Description Modified

2008-08-01

Malware Proliferation

Characteristics

This virus family contains multiple variants. This description covers the latest discovered variant:

Upon execution, the virus copies itself to %WinDir%\system32 with a random file name(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It creates extra two processes.

The following Registry keys are added:

  •  HKEY_CURRENT_USER\Software\Microsoft\OLE
    F-Secure Gatekeeper="[Random Name].exe"
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
     F-Secure Gatekeeper="[Random Name].exe"
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
     F-Secure Gatekeeper="[Random Name].exe"
  • HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
     F-Secure Gatekeeper="[Random Name].exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
     F-Secure Gatekeeper="[Random Name].exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
     F-Secure Gatekeeper="[Random Name].exe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
     F-Secure Gatekeeper="[Random Name].exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
     F-Secure Gatekeeper="[Random Name].exe"

It attempts to connect with the following IRC server:

  • sco.rs-forum.biz

Once successfully connected, the virus can receive the following IRC commands from remote controller:

  • DDos
  • Download
  • Keylog
  • Update
  • etc

Besides it, it has the following functionalities.

  • Contains its own SMTP engine for constructing messages
  • Spoofs the From: address using the value postcards@hallmark.com
  • Sent messages contain the subject: You've received A Hallmark E-Card!
  • Attempts to propagate through popular P2P networks by copying itself to popular P2P software shared directories using the following filenames:
    • absolute video converter 3.07.exe
    • acker dvd ripper 2008.exe
    • adobe acrobat reader keygen.exe
    • adobe soundbooth cs3.exe
    • anti-trojan elite v4.01.exe
    • aol password cracker.exe
    • ashampoo powerup v3.10.exe
    • bitdefender antivirus 2008 keygen.exe
    • boilsoft dvd ripper 2.82.exe
    • canvas security framework 2008 limited with 50 0day.exe
    • cleanmypc registry cleaner v4.02.exe
    • daemon tools pro 4.10.218.0.exe
    • divx 5.0 pro keygen.exe
    • download boost 2.0.exe
    • email spider.exe
    • error doctor 2008.exe
    • google adsense clicking bot.sfx.exe
    • hotmail account bruteforcer bot.exe
    • hotmail spammer bot.exe
    • hrwliy.exe
    • icepack idt gold edition 2008 leaked.exe
    • microsoft visual basic keygen.exe
    • microsoft visual c++ keygen.exe
    • microsoft visual studio keygen.exe
    • mirc keygen.exe
    • norton anti-virus 2008 enterprise crack.exe
    • password cracker.exe
    • pc secuity tweaker 7.6.exe
    • prorat 2.0 special edition.exe
    • shadow security scanner 10 gold.exe
    • sophos antivirus updater bypass.exe
    • super utilities pro 2008 8.0.1980.exe
    • superram 5.1.28.2008.exe
    • tarantula full version cracked by razor.exe
    • tcn iso cable modem hacking tools.exe
    • tcn iso sigmax2 firmware.bin.exe
    • vmware esx gsx server keygen.exe
    • vmware keygen.exe
    • vmware workstation 6 windows keygen.exe
    • windows 2003 advanced server keygen.exe
    • wow glider incl serial.sfx.exe
    • youtube music downloader 1.0.exe
    • yzdock machintos osx like toolbar for windows.exe

Symptoms

  • Existence of the files and Registry keys detailed here.
  • Copies of the worm with the enticing filenames used for P2P propagation.
  • A garbage text file is opened and displayed in Notepad

    • Method of Infection

    This worm spreads via email, mass-mailing itself as well as copying itself to popular P2P software shared directories.

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Variants

    United States - English