Win32.Mydoom.U@mm

( I-Worm.MyDoom.gen | Win32.HLLM.MyDoom.based )
Propagation : medium
Dégât : medium
Size: 37,888 (upx packed), 8192 bytes
Détecté : 2004 Sep 03

SYMPTOMS:

- Presence of the next files in %SYSTEM% folder:

tasker.exe (37,888 bytes)
Nemog.dll (8,192 bytes)

- Presence of the next registry key pointing to the above file:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Task"="%SYSTEM%\tasker.exe"]

and also

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\]
"(Default)" = "%SYSTEM%\Nemog.dll"

- Presence in memory of a process "tasker"

where
%WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder
on WinNT systems.

Also, when the virus is run, it opens in Notepad some junk.

TECHNICAL DESCRIPTION:

It arrives by e-mail in the following format:

From: spoofed, may usually appear as from @msn.com, @yahoo.com, @hotmail.com
Subject: (one of the following lines)

RE:my .....
RE:test
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Msg
Information


Body: (one of the following lines)

This is a multi-part message in MIME format.
Mail transaction failed. Partial message is available.
sorry we can't send the mail try later , check the attachment for more information.
error , sorry we can't send the email so check the attachment.
hello check the attachment thx.
hello.
!!!!!!!!!!!, check the attachment!!!.
Try Later, Check the Attachment.
failed to send the email!, check the attachment for more information.
check.
check the attachment to get the lastest news.
come back my friend.
loooooool ;)))
hello :)
failed,check the attachment for more information.
error, check the attachment for more information.
error to send the mail!!!!!.
you can check the attachment for more information.
(Norton ANti Virus,Panda,Mcafee No Virusses Found).
the attachment for more information.
here is what you need,thx.
your attachment , thx.
Check the attachment for more information!.
(Norton Anti Virus : No Virusses Found , Check The Attachment For More Information.
test


Attachment:
filename may be:

body
message
test
data
file
text
doc
readme
document

extension may be:
bat, cmd, exe, scr, pif or zip


Once the virus is run, it does the following:

1. Creates mutex "EnD-Of-SkyNet" in order to have only one presence in memory.
2. Creates a new thread that creates in TEMP folder a file named Message (approx 4 KBytes) containing binary junk, and opens it in Notepad. When Notepad is closed, the thread is closed and the file Message is deleted
3. Creates in %SYSTEM% the file Nemog.dll and registers it to [HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
4. Creates a copy of the virus in %SYSTEM% folder as tasker.exe
5. Creates the registry key

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Task"="%SYSTEM%\tasker.exe"]

so that the virus will be run at startup
6. Checks if the computer is connected to the internet by checking www.microsoft.com aproximatively each half minute
7. Retrieves Kazaa download folder, and creates there copies of the virus constructing filename from:

XXX Pictures, XXX Videos, xbox emulator, ps2 emulator, Hotmail hacker, yahoo hacker, klez, SoBig, mydoom, netsky, Vahos, Upload, crack, Winzip, kazz, Wenrar, mirc, cleaner, SeX, Vaho, Fixtool

and extensions:

bat, pif, scr, exe

8. Starts harvesting for e-mail addresses in files matching:

wab, pl, adb, tbb, dbx, asp, php, sht, htm

and also in default WAB file

9. Uses it's own SMTP engine to send itself, using the previously described format, but avoids sending to e-mail addresses containing:

syma, icrosof, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo.
unix, math, bsd, mit.e, gnu, fsf., ibm.com, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, acketst, pgp, tanford.e, utgers.ed, mozilla
root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page
icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, google, accoun
avp, abuse, secur, spam, www, spm

10. Has backdoor capabilities: Nemog.dll opens port 5422 and listens for commands

11. May open a http proxy on port 80

Removal instructions:

Manual removal:

open Task Manaker by pressing CTRL+ALT+DEL or CTRL+SHIFT+ESC, select [End Process] on tasker.exe
delete from folder %SYSTEM% tasker.exe and Nemog.dll
open Registry Editor (start, run, and enter: Regedit)
remove the keys:
[HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\Run\Task]
[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]

Automatic removal:
- use the free removal tool from BitDefender
- automatic removal: let BitDefender delete/disinfect files found infected.

ANALYZED BY:

Patrick Vicol Bitdefender Virus Researcher