Taken From http://www.sophos.com/virusinfo/analyses/w32mydoombc.html
Description:
W32/MyDoom-BC is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
Attached file:
attachment.com
letter.zip
<username>.exe
Side effects:
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases:
* Email-Worm.Win32.Mydoom.am
* W32/Mydoom.bc@MM
* W32/Mydoom.db@MM
* Worm.Mydoom.M-2
Technical Details:
W32/MyDoom-BC is an email worm. When first run, the worm copies itself to either the Windows or Temp folders as java.exe, and adds one of the following registry entries to ensure that the copy is run each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-BC also creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is a backdoor component.
W32/MyDoom-BC searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-BC and the percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-BC will avoid addresses which contain any of the following strings:
abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.
The attached file may be named similarly to the recipient's username or domain
or using one of the following names:
attachment
document
file
instruction
letter
mail
message
readme
text
transcript
with an optional extension of DOC, TXT, HTM, HTML followed by a number of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip file containing a file named as described.
W32/MyDoom-BC drops a file named services.exe in the Windows or Temp folder and runs the file.
Services.exe adds the following registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
services
<Windows or Temp folder>\services.exe
W32/MyDoom-BC also attempts to download and run files from several websites.
At the time of writing the downloaded files are detected by Sophos's anti-virus products as Troj/Surila-P.
Description:
W32/MyDoom-BC is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
Attached file:
attachment.com
letter.zip
<username>.exe
Side effects:
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases:
* Email-Worm.Win32.Mydoom.am
* W32/Mydoom.bc@MM
* W32/Mydoom.db@MM
* Worm.Mydoom.M-2
Technical Details:
W32/MyDoom-BC is an email worm. When first run, the worm copies itself to either the Windows or Temp folders as java.exe, and adds one of the following registry entries to ensure that the copy is run each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-BC also creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is a backdoor component.
W32/MyDoom-BC searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-BC and the percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-BC will avoid addresses which contain any of the following strings:
abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.
The attached file may be named similarly to the recipient's username or domain
or using one of the following names:
attachment
document
file
instruction
letter
message
readme
text
transcript
with an optional extension of DOC, TXT, HTM, HTML followed by a number of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip file containing a file named as described.
W32/MyDoom-BC drops a file named services.exe in the Windows or Temp folder and runs the file.
Services.exe adds the following registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
services
<Windows or Temp folder>\services.exe
W32/MyDoom-BC also attempts to download and run files from several websites.
At the time of writing the downloaded files are detected by Sophos's anti-virus products as Troj/Surila-P.
on August 14, 2007, 11:54 am