This application requires Javascript for optimal performance.

W32/MyDoom.M@mm - Released Jul 24, 2006 - Last Updated Jan 25, 2007

Alias/es

Email-Worm.Win32.Mydoom.l, W32/MyDoom-N, WORM_MYDOOM.GEN, W32/Mydoom.n@MM virus

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The file lsass.exe  exists in the %WINDOWS% folder.
  • Possible firewall alert that an executable is attempting to connect to the internet.
  • Compromised systems may be slow to respond due to heavy outbound traffic on TCP port 25 (SMTP email).

    • Detailed Analysis

  • Creates a copy of itself to the %WINDOWS% folder as lsass.exe.

  • Adds the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: Traybar
    • data: %WINDOWS%\lsass.exe
  • Searches for windows with the following names:
    • rctrl_renwnd32
    • ATH_Note
    • IEFrame
    and sends an exit message to close them.

  • Opens a back door on TCP port 1042.


    Network Propagation

  • Enumerates the hard disk and searches for directories that contain any of the following strings:
    • incoming
    • ftproot
    • download
    • shar
    It then copies itself to these directories as [Filename].[Extension].

    [Filename] is one of the following:
    • index
    • Kazaa Lite
    • Harry Potter
    • ICQ 4 Lite
    • WinRAR.v.3.2.and.key
    • Winamp 5.0 (en) Crack
    • Winamp 5.0 (en)
    • ShareReactor
    [Extension] can be one of the following:
    • exe
    • com
    • scr

    Email Propagation

  • The worm harvests email addresses from the Windows Address Book and uses its own SMTP engine to send itself to those addresses.

  • The email has the following characteristics:

    Subject: One of the following:
    • report
    • Server Report
    • hello
    • picture
    • Status
    • test
    • Error
    • Mail Delivery System
    • Mail Transaction Failed
    • Mail server report
    Message Body: One of the following:
    • The message contains Unicode characters and has been sentas a binary attachment.
    • Mail transaction failed. Partial message is available.
    • The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment.
    Attachment: [Filename].[Extension]

    [Filename] can be any one of the following:
    • message
    • document
    • attachment
    • text
    • file
    • letter
    • mail
    • transcript
    • readme
    [Extension] can be any one of the following:
    • cmd
    • bat
    • pif
    • scr
    • exe

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    Reference: ID - 12110