Aliases

Email-Worm.Win32.Mydoom.b (Kaspersky Lab) is also known as: I-Worm.Mydoom.b (Kaspersky Lab), W32/Mydoom.b.dll (McAfee),   W32.Mydoom.B@mm (Symantec),   Win32.HLLM.MyDoom.48128 (Doctor Web),   W32/MyDoom-B (Sophos),   Win32/Mydoom.B@mm (RAV),   WORM_MYDOOM.B (Trend Micro),   Worm/MyDoom.B4 (H+BEDV),   Win32:Mydoom-B (ALWIL),   I-Worm/Mydoom.B (Grisoft),   Win32.Mydoom.B@mm (SOFTWIN),   Worm.Mydoom.B-dll (ClamAV),   W32/Mydoom.B.worm (Panda),   Win32/Mydoom.B (Eset)

Description added	Jan 28 2004
Behavior	Email Worm

Technical details

Mydoom.b is a modification of Mydoom.a that spreads via the Internet in the form of files attached to infected messages and via the Kazaa file-sharing network. The worm itself is a Windows PE EXE file of 29184 bytes, compressed using UPX and PE-Patch. The decompressed file is approximately 49KB in size.

The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.

The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the sites www.sco.com and www.microsoft.com.

Part of the body of the worm is encrypted.

The unpacked file contains the following text:

(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)

Installation

During installation, the worm copies itself under the name explorer.exe to the Windows system directory, and registers this file in the system registry auto-run key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "TaskMon" = "%System%\explorer.exe"

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
 "Apartment" = "%SysDir%\ctfmon.dll"

The worm also creates a file called Body in the temporary directory (usually in %windir%\temp). This file contains a random selection of symbols.

So that the worm can identify itself in the system, it creates several additional keys in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]

Mydoom.b replaces the standard file 'hosts' in the Windows directory into with its own version (under the same name). This file will now prevent user access to the following domains:

ad.doubleclick.net ad.fastclick.net ads.fastclick.net ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net banner.fastclick.net banners.fastclick.net ca.com click.atdmt.com clicks.atdmt.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net fastclick.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com media.fastclick.net msdn.microsoft.com my-etrust.com nai.com networkassociates.com

office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.fastclick.net www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.ru www3.ca.com

Mailing letters

The body text is chosen at random from the following:

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received

The message contains Unicode characters and
has been sent asa binary attachment.

The message contains MIME-encoded graphics and
has been sent as a binary attachment

Mail transaction failed. Partial message is available.

Propagation via P2P

NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final

bat
exe
scr
pif