W32/MyDoom.M@mm

Analysis

Creates a copy of itself to the undefinedWINDOWSundefined folder as lsass.exe.

Adds the following registry:

• key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• value: Traybar
• data: undefinedWINDOWSundefined\lsass.exe

Searches for windows with the following names:

• rctrl_renwnd32
• ATH_Note
• IEFrame

and sends an exit message to close them.

Opens a back door on TCP port 1042.
Network Propagation

Enumerates the hard disk and searches for directories that contain any of the following strings:

• incoming
• ftproot
• download
• shar

It then copies itself to these directories as [Filename].[Extension].
[Filename] is one of the following:

• index
• Kazaa Lite
• Harry Potter
• ICQ 4 Lite
• WinRAR.v.3.2.and.key
• Winamp 5.0 (en) Crack
• Winamp 5.0 (en)
• ShareReactor

[Extension] can be one of the following:

• exe
• com
• scr

Email Propagation

The worm harvests email addresses from the Windows Address Book and uses its own SMTP engine to send itself to those addresses.

The email has the following characteristics:
Subject: One of the following:

• report
• Server Report
• hello
• picture
• Status
• test
• Error
• Mail Delivery System
• Mail Transaction Failed
• Mail server report

Message Body: One of the following:

• The message contains Unicode characters and has been sentas a binary attachment.
• Mail transaction failed. Partial message is available.
• The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment.

Attachment: [Filename].[Extension]
[Filename] can be any one of the following:

• message
• document
• attachment
• text
• file
• letter
• mail
• transcript
• readme

[Extension] can be any one of the following:

• cmd
• bat
• pif
• scr
• exe

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.