Description
Win32.HLLM.MyDoom.44544 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems/ Its executable module is packed with UPX. The packed size of the worm is 44, 544 bytes.
Launching
To secure its automatic execution at every Windows startup the worm modifies the registry key:
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
"SVHOST" = "%SysDir%\SVHOST.EXE"
Spreading
the worm mass disseminates via e-mail using its own SMTP engine. It retrieves addresses from files with the following extensions:
adb
asp
dbx
htm
php
sht
tbb
wab
The mail message infected with the worm may look as follows:
-
The sender’s name contains a proper name written with small letter and may be, for example, alex, john or
sam
Subject:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message body:
test
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
The attachment may have two extensions, the first of which is .doc, .htm or .txt, and the second is .cmd, .exe, .pif , .scr or .zip.
Its name is chosen from the following list:
body
data
doc
document
file
message
readme
test
text
Action
Being executed, the worm runs application NotePad and opens a file called Message, created in the Temp folder. The file contains a random garbage.
The worm copies itself to the WindowSystem folder (in Windows 9x/ME it’s C:\Windows\System, in Windows NT/2000 it’s C:\WINNT\System32, in Windows XP it’s
C:\Windows\System32) as SVHOST.EXE.
The worm deletes the value TaskMon
from the key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
