Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Mydoom.R is an e-mail worm for Microsoft Windows systems. Its file is approximately 28 kilobytes long, compressed by UPX. After decompression, its size is about 40kB.
Upon execution the form copies itself in the %windir% using the name java.exe. It also saves a file called services.exe there. This file is a backdoor component, that operates on TCP port 1034.
The following Registry entries are set to point to worm executables:
The first entry contains path to java.exe, and the other points to services.exe.
The worm looks for e-mail addresses in local files having one of the extensions:
It also tries to search for addresses using Google, Yahoo, Lycos and Altavista. Win32/Mydoom.R filters the addresses it finds using a long list of strings. If one
of the strings is contained in an address, the address is ignored.
Sender of the messages sent by Win32/Mydoom.R is spoofed. Their subject can be one of the following:
Delivery reports about your e-mail
Mail System Error - Returned Mail
Message could not be delivered
Returned mail: Data format error
Returned mail: see transcript for details
There are three main types of messages sent by Win32/Mydoom.R:
Dear user of <server>,
Mail server admistration of <server> would like to inform you that:
We have reveived reports that your e-mail account was used to send a huge
amount of junk e-mail during the recent week.
Most likely, your computer was infected by a recent virus and now runs a
hidden proxy server.
We recommend you to follow the instructions in the attached file in order
to keep your computer safe.
<server> technical support team.
This message was not delivered due to the following reason:
Your message was not delivered because the destination server was
unreachable within the allowed queue period. The amount of time a
message is queued before it is returned depends on local configura-
Most likely there is a network problem that prevented delivery, but it
is also possible that the computer is turned off, or does not have a mail
system running right now.
Your message could not be delivered within <number> days:
Mail server <mailserver> is not responding.
The followind recipients did not receive this message:
Please reply to postmaster@<server>
if you feel this message to be in error.
The original message was received at <time> from <host>
----- The following addresses had permanent fatal errors ---
----- Transcript of session follows -----
... while talking to server <host>
>>> MAIL FROM:<address>
<<< 50<digit> Refused
Appropriate strings are substituted for <server>, <address>, <digit> or <recipients>. There are many more messages Win32/Mydoom.R can send, these
are only examples. Actual e-mails may vary slightly.
An executable or a ZIP archive with the worm is contained in e-mails sent by win32/Mydoom.R. The name of the attachment may either be generated from recipient's e-mail address, or from one of the following words:
The filename extension is one of the following:
NOD32 detected Win32/Mydoom.R worm using advanced heuristics without an update.
Detection using a sample is added since version 1.822.