W32.Mydoom.CI@mm is a mass-mailing worm that opens a back door and uses its own SMTP engine to spread through email.
When W32.Mydoom.CI@mm is executed, it performs the following actions:
1. Creates a copy of itself as %Windir%\java.exe
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
2. Drops and executes %Windir%\services.exe, which is detected as Backdoor.Zincite.A.
3. Adds the values:
"Services" = "%Windir%\services.exe"
"JavaVM" = "%Windir%\java.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
4. May create %Temp%\zincite.log or %Temp%\[randomly named file].log to log the paths of the files it creates.
Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
5. Gathers email addresses from the compromised computer from files with the following extensions:
* .doc
* .txt
* .htm
* .html
* .wab
* .dbx
* .adb
* .asp
* .plh
6. Gathers additional email addresses by querying the following search engines:
*
www.altavista.com *
www.google.com * search.lycos.com
* search.yahoo.com
7. If the worm detects an open Outlook window, it attempts to close the window and send itself to email addresses it gathers. The email will have the following characteristics:
From: Spoofed
Subject:
One of the following:
* hello
* error
* status
* test
* report
* delivery failed
* Message could not be delivered
* Mail System Error - Returned Mail
* Delivery reports about your e-mail
* Returned mail: see transcript for details
* Returned mail: Data format error
Message:
One of the following:
* Dear user {[To address of mail]|of [doma [REMOVED] [domain of To address] {support |}team.}
* {The|This|Your} message was{ undeliverab [REMOVED] ot have a mail system running right now.
* Your message {was not|could not be} deli [REMOVED] nal message was included as attachment
* {{The|Your} m|M}essage could not be delivered
Attachment:
One of the following:
* readme
* instruction
* transcript
* mail
* letter
* file
* text
* attachment
* document
* message
* [The Recipient's domain name]
with one of the following extensions:
* cmd
* bat
* com
* exe
* pif
* scr
The worm does not send itself to addresses containing the following strings:
* mailer-d
* spam
* abuse
* master
* sample
* accoun
* privacycertific
* bugs
* listserv
* submit
* ntivi
* support
* admin
* page
* the.bat
* gold-certs
* feste
* not
* help
* foo
* soft
* site
* rating
* you
* your
* someone
* anyone
* nothing
* nobody
* noone
* info
* winrar
* winzip
* rarsoft
* sf.net
* sourceforge
* ripe.
* arin.
* google
* gnu.
* gmail
* seclist
* secur
* bar.
* foo.com
* trend
* update
* uslis
* domain
* example
* sophos
* yahoo
* spersk
* panda
* hotmail
* msn.
* msdn.
* microsoft
* sarc.
* syma
* avp
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ci@mm.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the values:
"Services" = "%Windir%\services.exe"
"JavaVM" = "%Windir%\java.exe"
6. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
