This worm spreads via the Internet as an attachment to infected messages,
and also via the Kazaa file-sharing network.
The worm itself is a Windows PE EXE file which is approximately 24KB in
size and packed using UPX. The unpacked file is approximately 45KB in size.
The worm includes a backdoor function.
Installation
Once launched, Mydoom.d opens Windows Notepad, displaying a random
selection of characters.
When installing itself to the system, the worm copies itself to the
Windows system directory as "taskmon.exe" and then registers this file as a key to enable
autorun in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = "%System%\taskmon.exe"
This ensures that the worm will be launched each time the system is
rebooted.
The worm creates a file named "shimgapi.dll" in the Windows system
directory. This file is the backdoor, which acts as a proxy server.
Propagation via email
The worm harvests addresses from the machine's address book, and also
from files with the extensions listed below:
adb
asp
dbx
htm
php
|
pl
sht
tbb
txt
wab
|
Addresses containing the text strings listed below will be ignored:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
hotmail
iana
|
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
msn.
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
|
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
|
The worm establishes a direct connection to the recipient's SMTP server
to send messages.
Infected messages
Sender's address:
The sender's address is created by combining the elements listed below:
Name
adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
|
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom
|
Sender's domain
aol.com
hotmail.com
msn.com
yahoo.com
Message subject (chosen at random from the list below):
Error
hello
hi
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Test
Message body
The message body will be one of a number of versions coded into the worm
e.g.:
test
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment name (chosen at random from the list below):
body
data
doc
document
file
message
readme
test
text
The attached file will have one of the extensions listed below:
bat
cmd
doc
exe
htm
pif
scr
tmp
Propagation via P2P networks
The worm checks to see if a Kazaa client is installed on the
victim machine, and then copies itself to the file-sharing directory under the following
names:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5
with one of the following extensions:
bat
exe
pif
scr
Remote administration
"Shimgapi.dll" functions as a proxy-server. The worm opens TCP port 3127
to listen for commands. The backdoor function provides a malicious remote user with complete
access to the victim machine. In addition to this, the backdoor and download files from the
Internet and launch them on the infected machine.
Other
On 02.28.58 on 14.02.2006, Mydoom.d will cease to function, and will no longer propagate.
Check out if we have free
removal tool for this virus
