Aliases

Email-Worm.Win32.Mydoom.l (Kaspersky Lab) is also known as: I-Worm.Mydoom.l (Kaspersky Lab), W32/Mydoom.n@MM (McAfee),   W32.Mydoom.L@mm (Symantec),   Win32.HLLM.MyDoom.33808 (Doctor Web),   W32/MyDoom-N (Sophos),   Win32/Mydoom.L@mm (RAV),   WORM_MYDOOM.L (Trend Micro),   Worm/Mydoom.l (H+BEDV),   W32/Mydoom.M@mm (FRISK),   Win32:Mydoom-L (ALWIL),   I-Worm/Mydoom.N (Grisoft),   Win32.Mydoom.L@mm (SOFTWIN),   Worm.Mydoom.I (ClamAV),   W32/Mydoom.M.worm (Panda),   Win32/Mydoom.Q (Eset)

Description added	Nov 16 2004
Behavior	Email Worm

Technical details

This worm spreads via the Internet as an attachment to infected messages, via file sharing networks and open network resources. The worm sends itself to email addresses harvested from infected machines. The worm also contains a backdoor function.

The worm itself is a Windows PE EXE file approximately 21 KB in size.

Installation

During installation the worm copies itself as "lsass.exe" to the Windows root directory, for example:

C:\WINDOWS\lsass.exe

The worm then registers this file in the system registry as a key to enable autorun:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Traybar = %WinDir% \LSASS.EXE

This ensures that the worm will be launched each time the system is rebooted.

The worm searches the computer for folders where the name contains the following words:

download
ftproot
incoming
Share

and copies itself several times to each folder found, under the following names:

Harry Potter
ICQ 4 Lite
index
Kazaa Lite
Winamp 5.0 (en)
Winamp 5.0 (en) Crack
WinRAR.v.3.2.and.key

The files will have one of the following extensions:

com
exe
scr
ShareReactor.com

Propagation

In order to find email addresses to send infected messages to, Mydoom.l searches for files with the following extensions:

doc
htm
html
txt

and harvests email addresses found in these files. The worm uses the recipient's SMTP server to send email messages to all of the harvested addresses.

Infected messages

Sender's address

The sender's address is spoofed, using one of the email addresses harvested from the system.

Subject (chosen at random from the following list):

click me baby, one more time
delivery failed
Delivery reports about your e-mail
error
hello
hi
Mail System Error - Returned Mail
Message could not be delivered
report
Returned mail: Data format error
Returned mail: see transcript for details
say helo to my litl friend
status
test

Message body (chosen at random from the following list):

• The original message was included as attachment

• This Message was undeliverable due to the following reason:
  Your message was not delivered because the destination computer was
  not reachable within the allowed queue period. The amount of time
  a message is queued before it is returned depends on local configuration parameters.
  Most likely there is a network problem that prevented delivery, but
  it is also possible that the computer is turned off, or does not
  have a mail system running right now.

• Your message was not delivered within [ ] days:
  Host $i is not responding.

• The following recipients did not receive this message:
  <[ ]>
  Please reply to postmaster@[ ]
  if you feel this message to be in error.

• The original message was received at [ ]
  from [ ]
  ----- The following addresses had permanent fatal errors -----
  <[ ]>
  ----- Transcript of session follows -----
  while talking to [ ].:
  >>> MAIL From:[ ]
  <<< 501 [ ]... Refused

• The original message was received at $w
  from [ ]
  ----- The following addresses had permanent fatal errors -----
  <[ ]>

Attachment name (chosen at random from the list below):

<blank>
attachment
document
file
letter
mail
message
readme
text
transcript

with one of the following extensions:

bat
cmd
com
exe
pif
scr
zip

Remote Administration

The backdoor in Mydoom.l opens and then monitors TCP port 1042 in order to receive remote commands.