Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mydoom.R

Win32/Mydoom.R is an e-mail worm for Microsoft Windows systems. Its file is approximately 28 kilobytes long, compressed by UPX. After decompression, its size is about 40kB.

Upon execution the form copies itself in the %windir% using the name java.exe. It also saves a file called services.exe there. This file is a backdoor component, that operates on TCP port 1034.

The following Registry entries are set to point to worm executables:

HKEY_LOCAL_MACCHINE\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKEY_LOCAL_MACCHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services

The first entry contains path to java.exe, and the other points to services.exe.
The worm looks for e-mail addresses in local files having one of the extensions:

adb
asp
dbx
ht*
ph*
pl*
sht
tbb
tx*
wab

It also tries to search for addresses using Google, Yahoo, Lycos and Altavista. Win32/Mydoom.R filters the addresses it finds using a long list of strings. If one
of the strings is contained in an address, the address is ignored.

Sender of the messages sent by Win32/Mydoom.R is spoofed. Their subject can be one of the following:

Delivery reports about your e-mail
Mail System Error - Returned Mail
Message could not be delivered
Returned mail: Data format error
Returned mail: see transcript for details
delivery failed
error
hello
report
status
test

There are three main types of messages sent by Win32/Mydoom.R:

Message 1:

Dear user of <server>,
Mail server admistration of <server> would like to inform you that:
We have reveived reports that your e-mail account was used to send a huge
amount of junk e-mail during the recent week.
Most likely, your computer was infected by a recent virus and now runs a
hidden proxy server.

We recommend you to follow the instructions in the attached file in order
to keep your computer safe.

Best wishes
<server> technical support team.

Message 2:

This message was not delivered due to the following reason:

Your message was not delivered because the destination server was
unreachable within the allowed queue period. The amount of time a
message is queued before it is returned depends on local configura-
tion parameters.

Most likely there is a network problem that prevented delivery, but it
is also possible that the computer is turned off, or does not have a mail
system running right now.

Your message could not be delivered within <number> days:
Mail server <mailserver> is not responding.

The followind recipients did not receive this message:
<recipients>

Please reply to postmaster@<server>
if you feel this message to be in error.

Message 3:

The original message was received at <time> from <host>
----- The following addresses had permanent fatal errors ---
--
----- Transcript of session follows -----
... while talking to server <host>
>>> MAIL FROM:<address>
<<< 50<digit> Refused

Appropriate strings are substituted for <server>, <address>, <digit> or <recipients>. There are many more messages Win32/Mydoom.R can send, these
are only examples. Actual e-mails may vary slightly.

An executable or a ZIP archive with the worm is contained in e-mails sent by win32/Mydoom.R. The name of the attachment may either be generated from recipient's e-mail address, or from one of the following words:

attachment
document
file
instruction
letter
mail
message
readme
text
transcript

The filename extension is one of the following:

bat
cmd
com
exe
pif
scr

NOD32 detected Win32/Mydoom.R worm using advanced heuristics without an update.
Detection using a sample is added since version 1.822.