Dismiss Notice
Welcome to Our Community
Wanting to join the rest of our members? Feel free to sign up today.

New worm - Win32.Mydoom.U@mm

Discussion in 'General Marketing' started by ovi, Sep 5, 2004.

  1. ovi

    ovi Guest

    Also know as: I-Worm.MyDoom.gen ; Win32.HLLM.MyDoom.based
    This is an executable Backdoor Worm Mass Mailer with the size: 37,888 (upx packed), 8192 bytes. Was discovered and detected in: 03.09.2004 by BitDefender


    - Presence of the next files in %SYSTEM% folder:

    tasker.exe (37,888 bytes)
    Nemog.dll (8,192 bytes)

    - Presence of the next registry key pointing to the above file:


    and also

    "(Default)" = "%SYSTEM%\Nemog.dll"

    - Presence in memory of a process "tasker"

    %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
    %SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder
    on WinNT systems.

    Also, when the virus is run, it opens in Notepad some junk.

    Technical description:

    It arrives by e-mail in the following format:

    From: spoofed, may usually appear as from @msn.com, @yahoo.com, @hotmail.com
    Subject: (one of the following lines)

    RE:my .....
    Server Report
    Mail Transaction Failed
    Mail Delivery System

    Body: (one of the following lines)

    This is a multi-part message in MIME format.
    Mail transaction failed. Partial message is available.
    sorry we can't send the mail try later , check the attachment for more information.
    error , sorry we can't send the email so check the attachment.
    hello check the attachment thx.
    !!!!!!!!!!!, check the attachment!!!.
    Try Later, Check the Attachment.
    failed to send the email!, check the attachment for more information.
    check the attachment to get the lastest news.
    come back my friend.
    loooooool ;)))
    hello :)
    failed,check the attachment for more information.
    error, check the attachment for more information.
    error to send the mail!!!!!.
    you can check the attachment for more information.
    (Norton ANti Virus,Panda,Mcafee No Virusses Found).
    the attachment for more information.
    here is what you need,thx.
    your attachment , thx.
    Check the attachment for more information!.
    (Norton Anti Virus : No Virusses Found , Check The Attachment For More Information.

    filename may be:


    extension may be:
    bat, cmd, exe, scr, pif or zip

    Once the virus is run, it does the following:

    1. Creates mutex "EnD-Of-SkyNet" in order to have only one presence in memory.
    2. Creates a new thread that creates in TEMP folder a file named Message (approx 4 KBytes) containing binary junk, and opens it in Notepad. When Notepad is closed, the thread is closed and the file Message is deleted
    3. Creates in %SYSTEM% the file Nemog.dll and registers it to [HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
    4. Creates a copy of the virus in %SYSTEM% folder as tasker.exe
    5. Creates the registry key


    so that the virus will be run at startup
    6. Checks if the computer is connected to the internet by checking www.microsoft.com aproximatively each half minute
    7. Retrieves Kazaa download folder, and creates there copies of the virus constructing filename from:

    XXX Pictures, XXX Videos, xbox emulator, ps2 emulator, Hotmail hacker, yahoo hacker, klez, SoBig, mydoom, netsky, Vahos, Upload, crack, Winzip, kazz, Wenrar, mirc, cleaner, SeX, Vaho, Fixtool

    and extensions:

    bat, pif, scr, exe

    8. Starts harvesting for e-mail addresses in files matching:

    wab, pl, adb, tbb, dbx, asp, php, sht, htm

    and also in default WAB file

    9. Uses it's own SMTP engine to send itself, using the previously described format, but avoids sending to e-mail addresses containing:

    syma, icrosof, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo.
    unix, math, bsd, mit.e, gnu, fsf., ibm.com, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, acketst, pgp, tanford.e, utgers.ed, mozilla
    root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page
    icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, google, accoun
    avp, abuse, secur, spam, www, spm

    10. Has backdoor capabilities: Nemog.dll opens port 5422 and listens for commands

    11. May open a http proxy on port 80

    Removal instructions:

    Manual removal:

    open Task Manaker by pressing CTRL+ALT+DEL or CTRL+SHIFT+ESC, select [End Process] on tasker.exe
    delete from folder %SYSTEM% tasker.exe and Nemog.dll
    open Registry Editor (start, run, and enter: Regedit)
    remove the keys:

Featured Resources (View All)

Share This Page