Win32.Mydoom.A Worm
Alias: W32.Novarg.A@mm (Symantec),
W32/Mydoom@MM (McAfee),
Win32/Shimg
Category: Win32
Type: Worm
Published Date: 1/26/2004
Last Modified: 1/26/2004
CHARACTERISTICS
Win32.Mydoom.A is a worm spreading via e-mail and the Kazaa P2P file sharing network. The worm has been distributed as 22,528-byte, UPX-packed Win32 executable and may be included in a ZIP archive.
Method of Distribution
Via E-mail
The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension.
The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:
Server Report
Mail Delivery System
hi
status
hello
HELLO
Hi
test
Test
Mail Transaction Failed
Server Request
Error
The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. An example of a Message Body used by the worm:
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:
Data
Readme
Message
Body
Text
file
doc
document
Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.
Via P2P File Sharing
The worm spreads through the KaZaA P2P file sharing network. It copies itself to the transfer folder using the following names:
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5
Possible extensions are:
bat
exe
pif
scr
Method of Installation
When executed, the worm copies itself to the %System% directory as taskmon.exe and modifies the registry in order to run at the next system re-start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon = "%System%\taskmon.exe"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm also creates a file called SHIMGAPI.DLL in the %System% directory. The dropped DLL registers itself in the registry:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\[Default] = "%System%\shimgapi.dll"
Payload
Backdoor Functionality
Win32.Mydoom opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199)
Analysis by Jakub Kaminski
Alias: W32.Novarg.A@mm (Symantec),
W32/Mydoom@MM (McAfee),
Win32/Shimg
Category: Win32
Type: Worm
Published Date: 1/26/2004
Last Modified: 1/26/2004
CHARACTERISTICS
Win32.Mydoom.A is a worm spreading via e-mail and the Kazaa P2P file sharing network. The worm has been distributed as 22,528-byte, UPX-packed Win32 executable and may be included in a ZIP archive.
Method of Distribution
Via E-mail
The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension.
The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:
Server Report
Mail Delivery System
hi
status
hello
HELLO
Hi
test
Test
Mail Transaction Failed
Server Request
Error
The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. An example of a Message Body used by the worm:
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:
Data
Readme
Message
Body
Text
file
doc
document
Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.
Via P2P File Sharing
The worm spreads through the KaZaA P2P file sharing network. It copies itself to the transfer folder using the following names:
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5
Possible extensions are:
bat
exe
pif
scr
Method of Installation
When executed, the worm copies itself to the %System% directory as taskmon.exe and modifies the registry in order to run at the next system re-start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon = "%System%\taskmon.exe"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm also creates a file called SHIMGAPI.DLL in the %System% directory. The dropped DLL registers itself in the registry:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\[Default] = "%System%\shimgapi.dll"
Payload
Backdoor Functionality
Win32.Mydoom opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199)
Analysis by Jakub Kaminski
