W32/Mydoom.L@mm

description-logoAnalysis


Specifics
Virus is 32 bit with a packed file size of 50,176 bytes and is a minor variant to W32/Mydoom.K-mm. This variant does not perform a DoS against websites, nor does it attempt to delete files. This virus contains its own SMTP engine code to send itself to others - it will also make itself available in the shared folder of Kazaa, a popular peer-to-peer file sharing application. This virus also writes a short keylogger component to the infected system as a random .DLL file name such as "vefpmwf.dll".


Loading into memory
When the virus is run, it will copy itself to the System32 folder as "RUNDLL6.exe" and then register itself to auto run at each Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"rundll" = C:\WINNT\System32\rundll6.exe

The virus writes an additional file "shimgapi.dll" into the System32 folder and then adjusts an existing registry key to load this .DLL file -

HKEY_CLASSES_ROOT\CLSID\
{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
"(Default)" = C:\WINNT\System32\shimgapi.dll

Original value: undefinedSystemRootundefined\System32\webcheck.dll

The file "shimgapi.dll" contains instructions to act as a server and bind with TCP port 3127. This functionality allows the virus to potentially receive file updates, or receive and execute arbitrary programs.


Email Spreading Capability
This virus can send itself to numerous email addresses which are discovered on the target machine by an email searching routine. The virus seeks addresses from the following files -

wab
pl
adb
tbb
dbx
asp
php
sht
htm

The virus will avoid using email addresses which have any of these strings in the domain or prefix -

root
be_loyal:
secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
linux
kernel
google
ibm.com
fsf.
gnu
mit.e
bsd
math
unix
berkeley
foo.
.mil
gov.
.gov
microsoft
ruslis
nodomai
mydomai
abuse
www
fcnz
spm


Email Creation Routine
For each address found, the virus will craft an email with varied subject line and body text, with a spoofed "From" address. The "From" may contain names from this list -

sandra
linda
julie
jimmy
jerry
helen
debby
Claudia

The body text is one of these -

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • Test

The attachment will have one of these extensions -
.bat, .cmd, .exe, .pif or .scr

And may possibly be double-extension such as

.doc.exe
.htm.pif
.txxt.scr


recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, enable blocking of these file extensions using SMTP, POP3 and IMAP services -

    .bat, .cmd, .exe, .pif and .scr

  • Using the FortiGate manager, create a service named "Mydoom" and assign it to TCP port 3127, then enable blocking of this service for External to Internal communication

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-01-11 89.08603
2021-11-30 89.07343
2021-11-23 89.07133
2021-11-15 89.06896
2021-08-24 88.00605
2021-08-03 88.00101
2021-07-27 87.00933
2021-07-20 87.00765
2021-06-12 86.00857
2021-05-26 86.00456