MyDoom.F is a mass-mailing email worm that also spreads via mapped network drives. MyDoom.F contains a malicious payload, seeking out and deleting certain file types found on local and mapped drives. The worm also launches a DoS against both www.microsoft.com and www.riaa.com. As with previous MyDoom variants, MyDoom.F installs a backdoor on infected systems which can then be used to download and execute arbitrary files.
Following the MyDoom.A and MyDoom.B worms, several 'toolkits' and worms were discovered exploiting the backdoors. It is safe to assume the situation will repeat itself with MyDoom.F.
MyDoom.F uses its own SMTP engine to send its infected email, thus copies will not appear in the user's Sent Items folder. The email composed by the worm varies. The From address may be spoofed, filled with random characters, or appear blank. The spoofed address may be formed by prepending a domain name found on the infected system with any one of the following: alex, billsmith, james, jerry, jim, john, or sam.
The subject line might appear blank or it may contain random selections from strings in the worm's code. Likewise, the message body is randomly composed from a long list of possibilities.
The MyDoom.F email attachment is also randomly named based on an internal list. Some of the attachments may be sent as ZIP archives while others will have either a .BAT, .CMD, .COM, .EXE, .SCR, or .PIF extension. When sent as a ZIP archive, the enclosed executable will have the same random name as does the ZIP file.
The icon of the attachment will appear to be that of a text file.
Page two of this feature includes a complete list of possible subject, message body, and attachment names.
When the MyDoom.F attachment is opened, the worm may display a fake error message, titled "Error". The dialog text may be any one of the following:
MyDoom.F also may launch Notepad.exe, displaying nonsense characters in the Notepad window.
MyDoom.F copies itself to the Windows System directory using a random filename with a .EXE extension and then modifies either the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key or the HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run registry key to add the value for the dropped copy, allowing it to run when Windows is restarted. MyDoom.F also adds the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell
MyDoom.F drops a randomly named .dll in the Windows System directory, which is the backdoor component of the worm. The .dll listens on port 1080 and, as with previous MyDoom variants, has the ability to download and execute arbitrary files. MyDoom.F also opens a range of ports between 3000 and 5000.
The .dll is also responsible for terminating certain antivirus and security processes running on the infected system. To do so, the MyDoom.F .dll searches for any processes that contain the following strings:
MyDoom.F also copies itself as either a ZIP archive or .EXE in various directories on local and mapped drives. Filenames are random, but each is 34 Kb in size.
MyDoom.F has a malicious payload, searching for mapped drives C: to Z: and deleting any files found with the following extensions: AVI, BMP, DOC, JPG, MDB, SAV, or XLS.
If the local system date is between the 17th and 22nd of any month, MyDoom.F will attempt to launch a DoS against www.microsoft.com and www.riaa.com. There is a 68% chance of an attack for the former and a 32% chance for the latter. MyDoom.F launches the DoS by creating random numbers of new threads, all sending GET requests via port 80 to the targeted websites.
Next: MyDoom.F email characteristics
Following the MyDoom.A and MyDoom.B worms, several 'toolkits' and worms were discovered exploiting the backdoors. It is safe to assume the situation will repeat itself with MyDoom.F.
MyDoom.F uses its own SMTP engine to send its infected email, thus copies will not appear in the user's Sent Items folder. The email composed by the worm varies. The From address may be spoofed, filled with random characters, or appear blank. The spoofed address may be formed by prepending a domain name found on the infected system with any one of the following: alex, billsmith, james, jerry, jim, john, or sam.
The subject line might appear blank or it may contain random selections from strings in the worm's code. Likewise, the message body is randomly composed from a long list of possibilities.
The MyDoom.F email attachment is also randomly named based on an internal list. Some of the attachments may be sent as ZIP archives while others will have either a .BAT, .CMD, .COM, .EXE, .SCR, or .PIF extension. When sent as a ZIP archive, the enclosed executable will have the same random name as does the ZIP file.
The icon of the attachment will appear to be that of a text file.
Page two of this feature includes a complete list of possible subject, message body, and attachment names.
When the MyDoom.F attachment is opened, the worm may display a fake error message, titled "Error". The dialog text may be any one of the following:
- File is corrupted
File cannot be opened
Unable to open specified file
MyDoom.F also may launch Notepad.exe, displaying nonsense characters in the Notepad window.
MyDoom.F copies itself to the Windows System directory using a random filename with a .EXE extension and then modifies either the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key or the HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run registry key to add the value for the dropped copy, allowing it to run when Windows is restarted. MyDoom.F also adds the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell
MyDoom.F drops a randomly named .dll in the Windows System directory, which is the backdoor component of the worm. The .dll listens on port 1080 and, as with previous MyDoom variants, has the ability to download and execute arbitrary files. MyDoom.F also opens a range of ports between 3000 and 5000.
The .dll is also responsible for terminating certain antivirus and security processes running on the infected system. To do so, the MyDoom.F .dll searches for any processes that contain the following strings:
- reged
taskmo
taskmg
avp.
avp32
norton
navapw
navw3
intrena
mcafe
MyDoom.F also copies itself as either a ZIP archive or .EXE in various directories on local and mapped drives. Filenames are random, but each is 34 Kb in size.
MyDoom.F has a malicious payload, searching for mapped drives C: to Z: and deleting any files found with the following extensions: AVI, BMP, DOC, JPG, MDB, SAV, or XLS.
If the local system date is between the 17th and 22nd of any month, MyDoom.F will attempt to launch a DoS against www.microsoft.com and www.riaa.com. There is a 68% chance of an attack for the former and a 32% chance for the latter. MyDoom.F launches the DoS by creating random numbers of new threads, all sending GET requests via port 80 to the targeted websites.
Next: MyDoom.F email characteristics
SHARE
