A new variant of MyDoom worm - Mydoom.AB, was found on September 16th, 2004. This worm variant is similar to previous variants. It spreads in emails with different subject and body texts, downloads and activates a backdoor.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm is a PE executable file 69632 bytes long packed with UPX file compressor. The unpacked file's size is over 180 KiB.
When run, the worm copies creates a mutex 'ertglddfgd', copies itself to Windows System Directory with a filename picked from:
smss.exe csrss.exe winlogon.exe services.exe
and sets a startup key for that file in System Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32System]
The worm spreads by sending its infected attachment to all email addresses found on an infected computer. The worm looks for email addresses in Windows Address Book and in the files with the following extensions:
wab xls uin txt tbb stm sht php msg mht mbx jsp htm eml dht dbx cgi cfg asp
The worm avoids sending emails to email addresses that contain any of the following substrings:
avp. syman icrosof panda sopho borlan inpris example mydomai nodomai ruslis icrosoft .gov gov. .mil @foo. @iana spam unix linux kasp antivi messagelabs support berkeley unix math mit.e gnu fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst pgp tanford.e utgers.ed mozilla icq.com admin icrosoft support ntivi unix bsd linux listserv certific google accoun abuse upport www root info samples postmaster rating root news webmaster noone noreply nobody nothing anyone someone rating site contact support somebody privacy service help submit feste gold-certs
The subject of infected emails is selected from the following variants:
Re[2]:fun pictures Re:fun pictures FW:fun pictures Re[2]:COOL! Re:COOL! FW:COOL! Re[2]:cool Re:cool FW:cool Re[2]: Re: FW: :)) FW: Cool LOOK! new photos 2 new photos hi, it's me it's me (no subject) that's me :-D my photos hello sweety :> remember me?.. FW: jenna's photos :) FW: new photos FW: 2 new photos FW: hi, it's me FW: it's me FW: (no subject) FW: that's me :-D FW: my photos FW: hello sweety :> FW: hi FW: remember me?..
The body text of infected emails is selected from the following variants:
-----Original Message----- From: Jeny K. Sent: Monday, September 13, 2004 8:57 PM To: Morpheus check my new photos :)) miss you, jeny k -----Original Message----- From: Jena K. Sent: Monday, September 13, 2004 5:23 AM To: friends Check Out Archive.. So.. What Do You Think... Am I Hot? :) Waining For Your Answer Jena Key -----Original Message----- From: jenny k. Sent: Monday, September 13, 2004 10:23 AM To: My Tiger (email) new fotos(archived) you asked jenny k -----Original Message----- From: jenna k. (email) Sent: Monday, September 13, 2004 11:38 AM To: Cat my new fotos archived )) kiss, jenna k -----Original Message----- From: Jeny Sent: Monday, September 13, 2004 8:57 PM To: Neo see the photos in attached archive :)) kiss you, jeny -----Original Message----- From: Jena Sent: Monday, September 13, 2004 5:23 AM To: friend Photos in archive.. So.. Am I Hot? :) Waining For Your Answer Jena -----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM To: Friends Group in self-extracting archive my photos Jenna :) -----Original Message----- From: jenna (email) Sent: Monday, September 13, 2004 11:38 AM To: ma kittie my photos archived )) kiss, jenna fun flash game! fun flash! game! fun game! Print money at home! look at atach -----Original Message----- From: Jeny K. Sent: Monday, September 13, 2004 8:57 PM To: Morpheus check out the new photos :)) miss you, jeny k -----Original Message----- From: Jena K. Sent: Monday, September 13, 2004 5:23 AM To: friends So.. What Do You Think... Am I Hot? :) Waining For Your Answer Jena Key -----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM in archive my new fotos Jenna K :) -----Original Message----- From: jenny k. Sent: Monday, September 13, 2004 10:23 AM To: My Tiger (email) new fotos you asked jenny k -----Original Message----- From: jenna k. (email) Sent: Monday, September 13, 2004 11:38 AM To: Cat my new fotos zipped )) kiss, jenna k -----Original Message----- From: Jeny Sent: Monday, September 13, 2004 8:57 PM To: Neo see the photos :)) kiss you, jeny -----Original Message----- From: Jena Sent: Monday, September 13, 2004 5:23 AM To: friend So.. Am I Hot? :) Waining For Your Answer Jena -----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM To: Friends Group in archive my photos Jenna :) -----Original Message----- From: jenny Sent: Monday, September 13, 2004 10:23 AM To: Mr.X (email) photos you asked jenny -----Original Message----- From: jenna (email) Sent: Monday, September 13, 2004 11:38 AM To: ma kittie my photos zipped )) kiss, jenna
The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:
myfoto.exe photos.selfextracting.exe photoarchive.exe photofile.exe arc.exe my_foto.exe fotos.exe foto.exe photos.exe.safe photo_se.exe new_photos.exe newphotos.exe myphotos_arc.exe my_photos.exe photos_arc.exe myfoto.cpl photoarchive.cpl photofile.cpl arc.cpl my_foto.cpl fotos.cpl foto.cpl photo_se.cpl new_photos.cpl newphotos.cpl my_photos.cpl photos_arc.cpl arhive.zip new_pic.zip pic.zip new_photos.zip images.zip fotos.zip my_photos.zip myphotos.zip photos.zip my_photo.jpg .pif flowers.jpg .pif document.jpg .pif pic.jpg.pif photo.jpg .pif black.gif .pif DCP_0002.JPG .pif me_01.jpg .pif 2004042301.jpg .pif with_flowers.jpg .pif sunny.jpg .pif photo08.jpg .pif nude_.jpg .pif marie_dancing.jpg .pif julia038.jpg .pif 1.exe mymusic.pif rulezzz.scr matrix.scr newvirus.exe mylove.pif antibush.scr icqcrack.exe myfack.pif hello.pif pinguin5.exe you the best.scr fantasy.scr coolgame.zip [mutiple spaces] .exe mynewphoto.zip [mutiple spaces] .exe mult.exe
Also the worm can attach a fake virus scan report to its message:
+++ Attachment: No Virus found +++
where "<av_string>" can be any of the following:
+++ Attachment: No Virus found +++
It uses the following list of domain names to compose the fake address:
+++ Attachment: No Virus found +++
The worm will attempt to terminate any process found in the list below:
+++ Attachment: No Virus found +++
It will send messages through ICQ with messages chosen from the following list:
+++ Attachment: No Virus found +++
If the worm can locate the Kazaa shared folder, it will copy itself with names picked from:
+++ Attachment: No Virus found +++
This variant of the Mydoom worm uses the LSASS vulnerability to infect other hosts.
The worm downloads a backdoor from one of websites and activates it.
+++ Attachment: No Virus found +++