1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. MyDoom.S

MyDoom.S

NAME:W32/Mydoom.S@MM, I-Worm.Mydoom.q, W32.Mydoom.Q@mm, WORM_RATOS.A
SIZE:27136






Summary


A new variant of MyDoom worm - Mydoom.S, was found on August 16th, 2004. The worm spreads like its previous variants.

Additional Details

The worm's file is a PE executable 27136 bytes long packed with UPX file compressor. The unpacked worm's size is about 53 KiB.

System Infection

The worm will attempt to download an executable from four different URLs stored within its body, such URLs point to two different sites (www.richcolour.com and zenandjuice.com). These sites were shut down by 18th of August, 2004.

Mydoom copies itself as "winpsd.exe" file to Windows System directory and creates a startup key for the copied file in Windows Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "winpsd.exe" = "%WinSysDir%\winlibs.exe"
where %WinSysDir% represents Windows System folder. As a result, the worm's file is started every time Windows starts.

The worm creates a mutex named '43jfds93872'.



Spreading in E-mails

The email-spreading function will expire on August 20th, 2004. After this the worm should not send emails any more.

The worm spreads in e-mails. Before spreading it collects e-mail addresses from an infected computer. The worm reads Windows Address Book file, reads files in Temporary Internet Files folders and Windows System folder. Files with the following extensions are checked:

txt htm sht php asp dbx tbb adb pl wab
The worm doesn't send itself to e-mail addresses that contain any of the following substrings:

avp syma icrosof msn. hotmail panda sopho borlan inpris example mydomai nodomai ruslis .gov gov. .mil foo. berkeley unix math bsd mit.e gnu fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst pgp tanford.e utgers.ed mozilla root info samples postmaster webmaster noone nobody nothing anyone someone your you bugs rating site contact soft somebody privacy service help not submit feste gold-certs the.bat page admin icrosoft support ntivi unix bsd linux listserv certific google accoun abuse upport www spm spam www secur


The worm spreads in emails as follows:

Subject: photos
Body: LOL!;))))
Attachment: photos_arc.exe
The worm fakes the sender's e-mail address. It uses the following user names for the fake e-mail address:

john alex michael james mike kevin david george sam andrew jose leo maria jim brian serg mary ray tom peter robert bob jane joe dan dave matt steve smith stan bill bob jack fred ted adam brent alice anna brenda claudia debby helen jerry jimmy julie linda sandra
Payload

The worm alters the infected computer's hosts file in order to prevent the local user and applications from reaching the Anti-Virus vendors' websites, including f-secure.com and www.f-secure.com.



Detection

Detection for MyDoom.S worm is available in the following FSAV update:

[FSAV_Database_Version]
Version=2004-08-16_02

Description: Ero Carrera, August 16th, 2004;