Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mydoom.Q

MyDoom.Q is an internet worm spreading via e-mail and file-sharing networks. It is 21008 bytes in size. The worm is written in MS C++ and is packed by UPX.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Upon execution the worm copies itself into the Windows folder as "lsass.exe". It also creates a file randomly named with the extension .txt in the temp folder .

The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Traybar" = "%WINDOWS%\lsass.exe"

The worm creates the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\POSIX
HKLM\Software\Microsoft\Windows\CurrentVersion\POSIX

The worm searches the hard disk for folders, which match

download
incoming
share
ftproot

and places several copies of the worm there with the following filenames:

index
Kazaa Lite
Harry Potter
ICQ 4 Lite
WinRAR.v.3.2.and.key
Winamp 5.0 (en) Crack
Winamp 5.0 (en)

The created files having the following file extensions:

exe
com
scr
ShareReactor.com

The worm searches for files with the file extensions *.doc , *.htm , *.htm , *.txt to collect email addresses to send a copy of the worm to these emails with its own SMTP engine.

The worm will not send emails to email addresses that contain one of the following strings:

.gov .mil abus accoun admi anyone arin. avp bar. bug contact crosoft domain example feste foo.
gmail gnu. gold-certs google gov. help hotmail info james john labs listserv master math microsoft
msn. nobody noone not nothing ntivi ophos page panda privacycertific rarsoft rating ripe. root
sales sample sarc. seclist secur service sf.net site soft someone sourceforge spam spersk submit
suppor syma the.bat update uslis winzip you your  

Infected emails look like this:

Sender address is faked, using one of the email addresses harvested from the files above. The worm may also create an email address using the following strings:

Postmaster Mail Administrator Automatic Email Delivery Software Post Office The Post Office Bounced mail Returned mail MAILER-DAEMON Mail Delivery Subsystem

The subject is chosen from one of the following strings:

say helo to my litl friend
click me baby, one more time
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

The message body is randomly picked from:

The original message was included as attachment

Message could not be delivered

This Message was undeliverable due to the following reason:

Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configuration parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message was not delivered within {random value} days:
Host {hostname of spoofed from address} is not responding.

Please reply to postmaster {hostname of spoofed from address}
if you feel this message to be in error.

The original message was received at {time}
from {To address of message}

The following recipients did not receive this message:
{spoofed from address} 

----- The following addresses had permanent fatal errors -----

{to address of message}

----- Transcript of session follows -----

while talking to {hostname of To address}.:
>>> MAIL From:{From address of message}
<<< 501 {hostname of From address}... Refused 

The original message was received at {time}
from {From address of message} 

----- The following addresses had permanent fatal errors -----

The worm generates an attachment filename from domain names that it detected in the scanned files on the local system. However, the attachment may also have a name from the following filenames:

attachment, document, file, letter, mail, message, readme, text, transcript

with one of the following extensions:

*.bat, *.cmd, *.com, *.exe, *.pif, *.scr, *.zip

This worm contains a backdoor component. The backdoor is listening on port 1042.
MyDoom.Q records keystrokes.