HOME > INCIDENT NOTES


   INCIDENT NOTES

CERT-In Incident Note CIIN-2004-09

Win32.MyDoom.M@mm

Original Issue Date: July 27, 2004

Type : Worm

Aliases:

I-Worm.MyDoom.M
I-Worm.MyDoom.R
MyDoom.M
MyDoom.M@mm
MyDoom.N
W32.MyDoom.M@mm
W32/Mydoom-O
W32/Mydoom.L
W32/Mydoom.M.worm
W32/Mydoom.o@MM
Win32.Mydoom.O
Win32/MyDoom.O.Worm
WORM_MYDOOM.M

Severity: High

Systems Affected:

. Windows 2000
. Windows NT
. Windows XP
. Windows 98
. Windows ME
. Windows 95

Systems Not Affected:

. MS DOS
. Linux
. Macintosh
. Novell Netware
. OS/2
. UNIX

Overview

It has been reported by various antivirus vendors that this member of My Doom family is spreading in the wild. This worm spreads via e-mail using its own SMTP engine. It gathers target recipients from the Windows Address Book, Temporary Internet File Folder and certain fixed drives. It also uses search engines to gather email addresses, resulting in slow down of the search engines.

Description

The worm spreads via email. On execution, the worm does the following:

  1. Drops a copy of itself as JAVA.EXE in the \windows folder.
  2. Creates the following registry entries to enable automatic execution at start up:
    HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion \Run
    JavaVM="%Windows%\java.exe"
    Services="%Windows%\services.exe"

    and creates an Infection Marker in the registry key:

    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Daemon

  3. Tries to terminate programs with the names rctrl_renwnd32, ATH_Note, IEFrame
  4. Propagates via email using its own SMTP engine and gathers email addresses from the Windows Address Book (WAB), temporary internet folder and from files with the extensions Hlp, tx*, asp, ht*, ht*, adb, dbx and wab.
  5. When it finds an email address it gets the domain name of that email address and queries the following search engines for email address of that domain:

    a. http://search.lycos.com
    b. http://www.altavista.com
    c. http://search.yahoo.com
    d. http://www.google.com

  6. The sender email address is spoofed both in the email header and the envelope. The mail has the subjects such as "hello", "hi", "error", "status", "test", "report", "delivery failed", "Message could not be delivered", "Mail System Error - Returned Mail", "Delivery reports about your e-mail", "Returned mail: see transcript for details", "Returned mail: Data format error" etc. The mail has attachments such as "readme", "instruction", "transcript", "mail", "letter", "text", "file", "attachment", "document", "message" with the extensions such as "cmd", "bat", "com" , "exe", "pif", "scr". The attachment may have a second extension, which will either be .doc, .txt, .htm, or .html.
  7. Drops a backdoor component named SERVICES.EXE in the Windows folder which opens a backdoor and listens on port 1034 for connections from remote malicious users.

Solution

  1. Disable system restore (Windows XP/ME) and scan the system with updated antivirus.
  2. Free removal tools are available from following antivirus vendors:

    F-Secure

    ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.zip
     http://www.f-secure.com/tools/f-mydoom.zip

    Symatec

    http://securityresponse.symantec.com/avcenter/venc
    /data/w32.mydoom@mm.removal.tool.html

    McAfee

    http://download.nai.com/products/mcafee-avert/stinger.exe

  3. To manually remove the infection, search and delete the registry entries mentioned below:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run

    JavaVM="%Windows%\java.exe"
    Services="%Windows%\services.exe"

    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Daemon

  4. Also search and delete the file %Temp%\zincite.log

References

Tendmicro

http://www.trendmicro.com/vinfo/virusencyclo / default5.asp?VName= WORM_MYDOOM.M&Vsect=T

BITDEFENDER

http://www.bitdefender.com/bd/site/ virusinfo.php?
menu_id=1&v_id=288

Secunia

http://secunia.com/virus_information/10755/mydoom.m/

McAfee

http://vil.nai.com/vil/content/v_127033.htm

Sophos

http://www.sophos.com/virusinfo/analyses/
w32mydoomo.html

Symantec

http://www.sarc.com/avcenter/venc/
data/w32.mydoom.m@mm.html

Computer Associates

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39711

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003