Proactive IT Security
 

W32/MyDoom.AH@mm

Threat risk

Threat risk low
Detection files published:
15 Jan. 2005
Description created:
2005-01-16
Description updated:
2005-01-16
Malware type:
Worm
Alias:
Win32.Mydoom.ae, W32/MyDoom-AA, W32.Mydoom.AI@mm, W32/Mydoom.ap@MM, I-Worm.Mydoom.AE
Spreading mechanism
Email, Other
Payload:

Summary

W32/MyDoom.AH is a mass-mailing peer-to-peer worm, compressed using UPX to a file size of 31,744 bytes.

Spreading description

When MyDoom.AH is run it copies itself to the %SYSTEM% directory as “lsasrv.exe". It will also create the following files in the %SYSTEM% directory:
 
  • version.ini (5 byte text file)
  • hserv.sys (100 byte binary file)
 
The worm will also create a file in the %TEMP% directory called “Mes#wtelw", which it opens using notepad.
 
 
Next, the worm ensures it is started each time Windows loads by creating the following registry entries:
 
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsass = %SYSTEM%\lsasrv.exe
 
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = explorer.exe %SYSTEM%\lsasrv.exe
 
The worm then attempts to create a mutex named “-=RTSW.Smash=-“, and will take no further action if the mutex already exists. 
 
MyDoom.AH then modifies the hosts file to prevent access to anti-virus related websites. The following entries are appended to the file:
 
  • 127.0.0.1 symantec.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 www.viruslist.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 kaspersky-labs.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 avp.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 www.ca.com
  • 127.0.0.1 ca.com
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 www.trendmicro.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 www.grisoft.com
  • 127.0.0.1 grisoft.com
 
Next the worm attempts to locate any of the following P2P/filesharing programs:
 
  • Kazaa
  • Morpheus
  • iMesh
  • eDonkey
  • LimeWire
 
If the worm is successful in locating any of the programs it will copy itself to the P2P share directory using one of these filenames:
 
  • icq2004-final
  • activation_crack
  • K-LiteCodecPack2.34a
  • dcom_patches
  • adultpasswds
  • winxp_patch
  • Ad-awareref01R349
  • avpprokey
  • NeroBROM6.3.1.27
  • Porno
 
with one of these extensions:
 
  • .exe
  • .scr
  • .pif
  • .pif
  • .cmd
 
The worm then harvests email addresses from the Windows Address Book, and from files with the following extensions:
 
  • .adb
  • .tbb
  • .dbx
  • .asp
  • .edm
  • .vbs
  • .wml
  • .jst
  • .tpl
  • .con
  • .vbp
  • .csp
  • .asm
  • .asc
  • .dwt
  • .lbi
  • .rdf
  • .rss
  • .xst
  • .xsd
  • .dlt
  • .xml
  • .jsp
  • .inc
  • .ssi
  • .stm
  • .xht
  • .htc
  • .hta
  • .cgi
  • .php
  • .sht
  • .htm
 
The worm avoids mail address where the domain name contains any of these strings:
 
  • info
  • samples
  • postmaster
  • webmaster
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • me
  • bugs
  • rating
  • site
  • contact
  • soft
  • no
  • somebody
  • privacy
  • service
  • help
  • not
  • submit
  • feste
  • ca
  • gold-certs
  • the.bat
  • page
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun
 
Then, the worm uses its own SMTP engine to send mails to the harvested addresses. The mails have the following characteristics:
 
 
Subject
 
  • Error
  • Status
  • Server
  • Mail Transaction Failed
  • Attention!!!
  • Mail Delivery System
  • Hello
  • Do not reply to this email
 
Body
 
  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more. To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
® 2004 Networks Associates Technology, Inc. All Rights Reserved
  • New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web. Thank you,The World Bank Group
® 2004 The World Bank Group, All Rights Reserved
  • Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.It's a real good choise to go to WORLDXXXPASS.COM
 
  • Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
 
  • Here is your documents you are requested.
 
Attachment
 
 
The filename of the attachment is either:
 
  • body
  • message
  • docs
  • data
  • file
  • rules
  • doc
  • readme
  • document
 
With one of the following extensions:
 
  • .exe
  • .scr
  • .pif
  • .cmd
  • .zip

Threat description

MyDoom.AH  will attempt to stop certain malware and security software by terminating processes with any of these names:
 
  • msblast.exe
  • zapro.exe
  • navw32.exe
  • navapw32.exe
  • zonealarm.exe
  • outpost.exe
  • wincfg32.exe
  • taskmon.exe
  • PandaAVEngine.exe
  • sysinfo.exe
  • mscvb32.exe
  • MSBLAST.exe
  • teekids.exe
  • Penis32.exe
  • bbeagle.exe
  • SysMonXP.exe
  • winupd.exe
  • winsys.exe
  • ssate.exe
  • rate.exe
  • d3dupdate.exe
  • irun4.exe
  • i11r54n4.exe

Removal

The worm was detected proactively as W32/P2PWorm by Norman SandBox.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page