Threat Descriptions

Email-Worm:W32/MyDoom.AN

Classification

Category :

Malware

Type :

Email-Worm

Platform :

W32

Aliases :

MyDoom.AN, W32/Mydoom.AN@mm, I-Worm.Mydoom.gen, Email-Worm.Win32.Mydoom.ai

Summary

MyDoom.AN appeared on January 27th, 2005. At the moment of the creation of this description we had no reports about this variant from the field. This worm variant is quite advanced comparing to the previous ones.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm's body is a Windows PE executable file compressed with the MEW executable compressor and was patched by PE_Patch utility. A part of the worm's data area is encrypted.

Installation to system

When the worm's file is run, it copies itself to Windows folder with SERVICES.EXE name and registers this file as a service named 'NetBios Ext32'. This service is automatically started every time with Windows, so the worm is always active in memory.

On Windows 9x and ME the worm adds a startup key for its file to Windows Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "RPCserv32"

Spreading in emails

The worm spreads by sending its infected attachment to all email addresses found on an infected computer. The worm looks for email addresses in Windows Address Book and in the files with the following extensions:

  • wab
  • uin
  • txt
  • tbb
  • stm
  • sht
  • php
  • msg
  • mht
  • mbx
  • jsp
  • htm
  • eml
  • dht
  • dbx
  • cgi
  • asp

The worm avoids sending emails to email addresses that contain any of the following substrings:

  • avp.
  • syman
  • icrosof
  • panda
  • sopho
  • borlan
  • inpris
  • example
  • mydomai
  • nodomai
  • ruslis
  • icrosoft
  • .gov
  • gov.
  • .mil
  • @foo.
  • @iana
  • spam
  • unix
  • linux
  • kasp
  • antivi
  • messagelabs
  • support
  • berkeley
  • unix
  • math
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • google
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • ripe.
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • tanford.e
  • utgers.ed
  • mozilla
  • icq.com
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • google
  • accoun
  • abuse
  • upport
  • www
  • root
  • info
  • samples
  • postmaster
  • rating
  • root
  • news
  • webmaster
  • noone
  • noreply
  • nobody
  • nothing
  • anyone
  • someone
  • rating
  • site
  • contact
  • support
  • somebody
  • privacy
  • service
  • help
  • submit
  • feste
  • gold-certs
  • avp

It should be noted that the worm uses a much improved algorithm for email address recognition. Now it can catch such email addresses as:

  • peter@nospam.domain.com
  • peter-at-domain-dot-com
  • peter at domain dot com
  • peter[at]domain[dot]com

These addresses are translated by the worm to the usable format.

The worm uses the special domain list (see below in the fake sender's email address domain list) and the additional small list of domains to search for email addresses using Google search engine:

  • hotmail
  • aol
  • yahoo
  • msn

The worm spreads itself in email messages. The email message is composed from randomly chosed subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected emails is selected from the following variants:

  • Remember me?
  • Hi again
  • Me again
  • Me and you :)
  • Important, see attchmnt
  • My secret
  • Secret message
  • For your eyes only!
  • Look who's naked =)
  • Is it your girl?
  • My girl, for your eyes only
  • Office jokes -))
  • Whoah! Very-very big thing! Take a look!
  • Your friend lying to you..
  • Find yourself on picture :-D
  • Party photos
  • You're next :) take a look
  • Sex in office, funny :]
  • Birthday Party Invitation!
  • [first_name] !!!
  • [first_name] and You!!!
  • Christmas ePostCard
  • Christmas ePostCard from [sender_name]
  • Merry-Christmas!
  • Merry-Christmas from [sender_name]
  • Christmas card
  • Christmas Greeting Card Waiting For You
  • An e-postcard is waiting for you

The body of the emails can one of the following:

  • Remember me?
  • Hi, [sender_name] has sent you an christmas postcard.
  • Merry X-Mas!
  • Happy New Year!
  • Postcard for you
  • New Year Postcard from your friend
  • New Year Postcard from [sender_name]
  • Happy holidays! ;)

The worm sends itself as an attachement, using one of the following names:

  • mult.exe
  • mynewphoto.zip [lots of spaces] .exe
  • coolgame.zip [lots of spaces] .exe
  • fantasy.scr
  • you the best.scr
  • pinguin5.exe
  • hello.pif
  • myfack.pif
  • icqcrack.exe
  • antibush.scr
  • mylove.pif
  • newvirus.exe
  • matrix.scr
  • rulezzz.scr
  • mymusic.pif
  • 1.exe
  • photos.zip
  • sh*tpix.zip
  • sh*t.zip
  • fotos.zip
  • images.zip
  • [sender_name] flashepostcard.exe
  • christmasscreenfrom[sender_name] .scr
  • merry-christmas.scr
  • [first_name] _nude.pif
  • [first_name] _joke.jpg [lots of spaces] .pif
  • [first_name] 's x-mas joke.jpg [lots of spaces] .scr
  • flash x-mas game.exe
  • [first_name] .jpg [lots of spaces] .cpl
  • ePostCard[random_number] .jpg [lots of spaces] .cpl

The worm fakes the sender's email address. The following domains are used to generate the fake address:

  • dailymail.co.uk
  • mail.com
  • hotmail.com
  • gmx.net
  • yahoo.co.uk
  • 1access.net
  • a1isp.net
  • accessus.net
  • address.com
  • ameralinx.net
  • aol.com
  • apci.net
  • arczip.com
  • aristotle.net
  • att.net
  • cableone.net
  • cais.com
  • canada.com
  • cayuse.net
  • ccp.com
  • ccpc.net
  • chello.com
  • compuserve.com
  • core.com
  • cox.net
  • cybernex.net
  • dialupnet.com
  • earthlink.net
  • eclipse.net
  • eisa.com
  • ev1.net
  • excite.com
  • fast.net
  • fcc.net
  • flex.com
  • gbronline.com
  • globalbiz.net
  • globetrotter.net
  • highstream.net
  • hiwaay.net
  • ieway.com
  • inext.fr
  • infoave.net
  • iquest.net
  • isp.com
  • ispwest.com
  • istep.com
  • juno.com
  • loa.com
  • macconnect.com
  • madriver.com
  • msn.com
  • nccw.net
  • netcenter.com
  • netrox.net
  • netzero.net
  • pacific.net.sg
  • palm.net
  • pathlink.com
  • peoplepc.com
  • pics.com
  • rcn.com
  • ricochet.com
  • surfree.com
  • t-online.com
  • t-online.de
  • tiscali.com
  • toad.net
  • ultimanet.com
  • verizon.net
  • wanadoo.com
  • worldcom.com
  • worldshare.net
  • wwc.com
  • yahoo.com
  • ziplink.net

The following first names are used to generate the fake sender's email address (partial list only, the original list contains 500 names):

  • James
  • John
  • Robert
  • Michael
  • William
  • David
  • Richard
  • Charles
  • Joseph
  • Thomas
  • Christopher
  • Daniel
  • Paul
  • Mark
  • Donald
  • George
  • Kenneth
  • Steven
  • Edward
  • Brian
  • Ronald
  • Anthony
  • Kevin
  • Jason
  • Matthew
  • Gary
  • Timothy
  • Jose
  • Larry
  • Jeffrey
  • Frank
  • Scott
  • Eric
  • Stephen
  • Andrew
  • Raymond
  • Gregory
  • Joshua
  • Jerry
  • Dennis

The following first names are used to generate the fake sender's email address (partial list only, the original list contains 500 names):

  • Smith
  • Johnson
  • Williams
  • Jones
  • Brown
  • Davis
  • Miller
  • Wilson
  • Moore
  • Taylor
  • Anderson
  • Thomas
  • Jackson
  • White
  • Harris
  • Martin
  • Thompson
  • Garcia
  • Martinez
  • Robinson
  • Clark
  • Rodriguez
  • Lewis
  • Lee
  • Walker
  • Hall
  • Allen
  • Young
  • Hernandez
  • King
  • Wright
  • Lopez
  • Hill

The worm can add a fake anti-virus scanner report to an infected message. This is done to persuade a recipient that the email was scanned by an anti-virus and no infection was found. The worm uses the following strings:

  • MessageLabs AntiVirus - www.messagelabs.com
  • Bitdefender AntiVirus - www.bitdefender.com
  • MC-Afee AntiVirus - www.mcafee.com
  • Kaspersky AntiVirus - www.kaspersky.com
  • Panda AntiVirus - www.pandasoftware.com
  • Norman AntiVirus - www.norman.com
  • F-Secure AntiVirus - www.f-secure.com
  • Norton AntiVirus - www.symantec.de

Sending ICQ messages

The worm sends ICQ messages with specially constructed URLs that point to specific webpages. The text of such messages can be any of the following:

  • fun game http://[link_to_website] ?[file_name] =[file_name] :-)))
  • funy game http://[link_to_website] ?[file_name] =[file_name] =)
  • game http://[link_to_website] ?[file_name] =[file_name] :-)
  • view my postcard http://[link_to_website] ?[file_name] =[file_name]
  • merry-christmas http://[link_to_website] ?[file_name] =[file_name] !!!
  • happy x-mas http://[link_to_website] ?[file_name] =[file_name] !
  • lol http://[link_to_website] ?[file_name] =[file_name]
  • http://[link_to_website] ?[file_name] =[file_name]
  • sh*t!!! http://[link_to_website] ?[file_name] =[file_name]
  • http://[link_to_website] ?[file_name] =[file_name]
  • about Saddam Hussein http://[link_to_website] ?[file_name] =[file_name]
  • sex on mars http://[link_to_website] ?[file_name] =[file_name] LOL

where [link_to_website] is a link to a website (hardcoded list) and [file_name] can be one of the following:

  • sh*t.zip
  • fotos.zip
  • images.zip
  • [first_name] .zip
  • Christmas ePostCard.zip
  • Christmas ePostCard from [sender_name] .zip
  • Merry/-Christmas!.zip
  • Merry/-Christmas from [sender_name] .zip
  • Christmas card.zip
  • Christmas Greeting Card Waiting For You.zip
  • An e-postcard is waiting for you.zip

Payload

The worm contains a bunch of URLs that it tries to download additional file from. The following sites are checked by the worm for the presence of that additional file:

  • http://benjafieldsracingclub.co.uk/
  • http://bored.kary.ca/
  • http://bossco.co.uk/
  • http://dreamon.cyberdogcastle.com/
  • http://forums.maehara.co.uk/
  • http://www.aartanridge.org.uk/
  • http://www.alfa-pages.co.uk/
  • http://www.aoprojecteden.org/
  • http://www.creativemods.com/
  • http://www.dilvie.com/
  • http://www.eastcoastchoons.co.uk/
  • http://www.euhg.org/
  • http://www.fartdevilstudio.org/
  • http://www.foxalpha.com/
  • http://www.frenchconnexion.org/
  • http://www.petrucciforum.com/
  • http://www.ribaforada.net/
  • http://www.stahlhammer.org/
  • http://www.sundayriders.co.uk/
  • http://www.supermantv.net/
  • http://www.yamamizuryu.org/
  • http://www.foxalpha.com/
  • http://www.hidden-agenda.co.uk/
  • http://www.hooping.org/
  • http://www.hypnobirthing.co.uk/
  • http://www.idiotica.co.uk/
  • http://www.imogenheap.co.uk/
  • http://www.knutsfordcricket.co.uk/
  • http://www.lancer.com.ru/
  • http://www.newgenerationcomics.net/
  • http://www.overcoming/

We are watching these locations in order to get the file that Mydoom is supposed to download and activate on an infected computer. So far we only could download a few files that are a variant of Surila backdoor (Backdoor.Win32.Surila.o).

The worm terminates processes and deletes files with the following names:

  • OUTPOST.EXE
  • IAOIN.EXE
  • RB.EXE
  • b055262c.dll
  • backdoor.rbot.gen.exe
  • backdoor.rbot.gen_(17).exe
  • msssss.exe
  • rasmngr.exe
  • dailin.exe
  • wowpos32.exe
  • wuamgrd.exe
  • taskmanagr.exe
  • wuamga.exe
  • ATUPDATER.EXE
  • AVWUPD32.EXE
  • AVPUPD.EXE
  • LUALL.EXE
  • DRWEBUPW.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • UPDATE.EXE
  • NUPGRADE.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVXQUAR.EXE
  • CFIAUDIT.EXE
  • MCUPDATE.EXE
  • NUPGRADE.EXE
  • Systra.exe
  • RAVMOND.exe
  • GfxAcc.exe
  • VisualGuard.exe
  • hxdef.exe
  • fvprotect.exe
  • jammer2nd.exe
  • ssgrate.exe
  • winxp.exe
  • sysxp.exe
  • d3dupdate.exe
  • BEAGLE.EXE
  • ACKWIN32.EXE
  • ADAWARE.EXE
  • ADVXDWIN.EXE
  • AGENTSVR.EXE
  • AGENTW.EXE
  • ALERTSVC.EXE
  • ALEVIR.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTI-TROJAN.EXE
  • ANTIVIRUS.EXE
  • ANTS.EXE
  • APIMONITOR.EXE
  • APLICA32.EXE
  • APVXDWIN.EXE
  • ARR.EXE
  • ATCON.EXE
  • ATGUARD.EXE
  • ATRO55EN.EXE
  • ATUPDATER.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AU.EXE
  • AUPDATE.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AUTOUPDATE.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCC32.EXE
  • AVGCTRL.EXE
  • AVGNT.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGUARD.EXE
  • AVGW.EXE
  • AVKPOP.EXE
  • AVKSERV.EXE
  • AVKSERVICE.EXE
  • AVKWCTl9.EXE
  • AVLTMAIN.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVSYNMGR.EXE
  • AVWIN95.EXE
  • AVWINNT.EXE
  • AVWUPD.EXE
  • AVWUPD32.EXE
  • AVWUPD32.EXE
  • AVWUPSRV.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE
  • AVXQUAR.EXE
  • BACKWEB.EXE
  • BARGAINS.EXE
  • BD_PROFESSIONAL.EXE
  • BEAGLE.EXE
  • BELT.EXE
  • BIDEF.EXE
  • BIDSERVER.EXE
  • BIPCP.EXE
  • BIPCPEVALSETUP.EXE
  • BISP.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • BLSS.EXE
  • BOOTCONF.EXE
  • BOOTWARN.EXE
  • BORG2.EXE
  • BPC.EXE
  • BRASIL.EXE
  • BS120.EXE
  • BUNDLE.EXE
  • BVT.EXE
  • CCAPP.EXE
  • CCEVTMGR.EXE
  • CCPXYSVC.EXE
  • CDP.EXE
  • CFD.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95CF.EXE
  • CLEAN.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CLEANPC.EXE
  • CLICK.EXE
  • CMD32.EXE
  • CMESYS.EXE
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CONNECTIONMONITOR.EXE
  • CPD.EXE
  • CPF9X206.EXE
  • CPFNT206.EXE
  • CTRL.EXE
  • CV.EXE
  • CWNB181.EXE
  • CWNTDWMO.EXE
  • Claw95.EXE
  • CLAW95CF.EXE
  • DATEMANAGER.EXE
  • DCOMX.EXE
  • DEFALERT.EXE
  • DEFSCANGUI.EXE
  • DEFWATCH.EXE
  • DEPUTY.EXE
  • DLLCACHE.EXE
  • DLLREG.EXE
  • DOORS.EXE
  • DPF.EXE
  • DPFSETUP.EXE
  • DPPS2.EXE
  • DRWATSON.EXE
  • DRWEB32.EXE
  • DRWEBUPW.EXE
  • DSSAGENT.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EFPEADM.EXE
  • EMSW.EXE
  • ENT.EXE
  • ESAFE.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ESCANV95.EXE
  • ESPWATCH.EXE
  • ETHEREAL.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXANTIVIRUS-CNET.EXE
  • EXE.AVXW.EXE
  • EXPERT.EXE
  • EXPLORE.EXE
  • F-AGNT95.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • F-STOPW.EXE
  • FAMEH32.EXE
  • FAST.EXE
  • FCH32.EXE
  • FIH32.EXE
  • FINDVIRU.EXE
  • FIREWALL.EXE
  • FLOWPROTECTOR.EXE
  • FNRB32.EXE
  • FP-WIN.EXE
  • FP-WIN_TRIAL.EXE
  • FPROT.EXE
  • FRW.EXE
  • FSAA.EXE
  • FSAV.EXE
  • FSAV32.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • FSGK32.EXE
  • FSM32.EXE
  • FSMA32.EXE
  • FSMB32.EXE
  • GATOR.EXE
  • GBMENU.EXE
  • GBPOLL.EXE
  • GENERICS.EXE
  • GMT.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • HACKTRACERSETUP.EXE
  • HBINST.EXE
  • HBSRV.EXE
  • HOTACTIO.EXE
  • HOTPATCH.EXE
  • HTLOG.EXE
  • HTPATCH.EXE
  • HWPE.EXE
  • HXDL.EXE
  • HXIUL.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IAMSTATS.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IDLE.EXE
  • IEDLL.EXE
  • IEDRIVER.EXE
  • IFACE.EXE
  • IFW2000.EXE
  • INETLNFO.EXE
  • INFUS.EXE
  • INFWIN.EXE
  • INIT.EXE
  • INTDEL.EXE
  • INTREN.EXE
  • IOMON98.EXE
  • IPARMOR.EXE
  • IRIS.EXE
  • ISASS.EXE
  • ISRV95.EXE
  • ISTSVC.EXE
  • JAMMER.EXE
  • JDBGMRG.EXE
  • JEDI.EXE
  • KAVLITE40ENG.EXE
  • KAVPERS40ENG.EXE
  • KAVPF.EXE
  • KEENVALUE.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KERNEL32.EXE
  • KILLPROCESSSETUP161.EXE
  • LAUNCHER.EXE
  • LDNETMON.EXE
  • LDPRO.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LNETINFO.EXE
  • LOADER.EXE
  • LOCALNET.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LORDPE.EXE
  • LSETUP.EXE
  • LUALL.EXE
  • LUALL.EXE
  • LUAU.EXE
  • LUCOMSERVER.EXE
  • LUINIT.EXE
  • LUSPT.EXE
  • MAPISVC32.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • MCSHIELD.EXE
  • MCTOOL.EXE
  • MCUPDATE.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MD.EXE
  • MFIN32.EXE
  • MFW2EN.EXE
  • MFWENG3.02D30.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • MGUI.EXE
  • MINILOG.EXE
  • MMOD.EXE
  • MONITOR.EXE
  • MOOLIVE.EXE
  • MOSTAT.EXE
  • MPFAGENT.EXE
  • MPFSERVICE.EXE
  • MPFTRAY.EXE
  • MRFLUX.EXE
  • MSAPP.EXE
  • MSBB.EXE
  • MSBLAST.EXE
  • MSCACHE.EXE
  • MSCCN32.EXE
  • MSCMAN.EXE
  • MSCONFIG.EXE
  • MSDM.EXE
  • MSDOS.EXE
  • MSIEXEC16.EXE
  • MSINFO32.EXE
  • MSLAUGH.EXE
  • MSMGT.EXE
  • MSMSGRI32.EXE
  • MSSMMC32.EXE
  • MSSYS.EXE
  • MSVXD.EXE
  • MU0311AD.EXE
  • MWATCH.EXE
  • N32SCANW.EXE
  • NAV.EXE
  • AUTO-PROTECT.NAV80TRY.EXE
  • NAVAP.NAVAPSVC.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVDX.EXE
  • NAVENGNAVEX15.NAVLU32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVSTUB.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NC2000.EXE
  • NCINST4.EXE
  • NDD32.EXE
  • NEOMONITOR.EXE
  • NEOWATCHLOG.EXE
  • NETARMOR.EXE
  • NETD32.EXE
  • NETINFO.EXE
  • NETMON.EXE
  • NETSCANPRO.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETUTILS.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NOD32.EXE
  • NORMIST.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • NOTSTART.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NPFMESSENGER.EXE
  • NPROTECT.EXE
  • NPSCHECK.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • NSSYS32.EXE
  • NSTASK32.EXE
  • NSUPDATE.EXE
  • NT.EXE
  • NTRTSCAN.EXE
  • NTXconfig.EXE
  • NUI.EXE
  • NUPGRADE.EXE
  • NUPGRADE.EXE
  • NVARCH16.EXE
  • NVC95.EXE
  • NWINST4.EXE
  • NWSERVICE.EXE
  • NWTOOL16.EXE
  • OLLYDBG.EXE
  • ONSRVR.EXE
  • OPTIMIZE.EXE
  • OSTRONET.EXE
  • OTFIX.EXE
  • OUTPOSTINSTALL.EXE
  • OUTPOSTPROINSTALL.EXE
  • PADMIN.EXE
  • PANIXK.EXE
  • PATCH.EXE
  • PAVCL.EXE
  • PAVPROXY.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCC2002S902.EXE
  • PCC2K_76_1436.EXE
  • PCCIOMON.EXE
  • PCCNTMON.EXE
  • PCCWIN97.EXE
  • PCCWIN98.EXE
  • PCDSETUP.EXE
  • PCFWALLICON.EXE
  • PCIP10117_0.EXE
  • PCSCAN.EXE
  • PDSETUP.EXE
  • PENIS.EXE
  • PERISCOPE.EXE
  • PERSFW.EXE
  • PERSWF.EXE
  • PF2.EXE
  • PFWADMIN.EXE
  • PGMONITR.EXE
  • PINGSCAN.EXE
  • PLATIN.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • POPSCAN.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • POWERSCAN.EXE
  • PPINUPDT.EXE
  • PPTBC.EXE
  • PPVSTOP.EXE
  • PRIZESURFER.EXE
  • PRMT.EXE
  • PRMVR.EXE
  • PROCDUMP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXPLORERV1.0.EXE
  • PROGRAMAUDITOR.EXE
  • PROPORT.EXE
  • PROTECTX.EXE
  • PSPF.EXE
  • PURGE.EXE
  • PUSSY.EXE
  • PVIEW95.EXE
  • QCONSOLE.EXE
  • QSERVER.EXE
  • RAPAPP.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RAV8WIN32ENG.EXE
  • RAY.EXE
  • RB32.EXE
  • RCSYNC.EXE
  • REALMON.EXE
  • REGED.EXE
  • RESCUE.EXE
  • RESCUE32.EXE
  • RRGUARD.EXE
  • RSHELL.EXE
  • RTVSCAN.EXE
  • RTVSCN95.EXE
  • RULAUNCH.EXE
  • RUNDLL.EXE
  • RUNDLL16.EXE
  • RUXDLL32.EXE
  • SAFEWEB.EXE
  • SAHAGENT.EXE
  • SAVE.EXE
  • SAVENOW.EXE
  • SBSERV.EXE
  • SC.EXE
  • SCAM32.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SCRSVR.EXE
  • SD.EXE
  • SERV95.EXE
  • SERVLCE.EXE
  • SERVLCES.EXE
  • SETUPVAMEEVAL.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SFC.EXE
  • SGSSFW32.EXE
  • SH.EXE
  • SHELLSPYINSTALL.EXE
  • SHN.EXE
  • SHOWBEHIND.EXE
  • SMC.EXE
  • SMS.EXE
  • SMSS32.EXE
  • SOAP.EXE
  • SOFI.EXE
  • SPERM.EXE
  • SPF.EXE
  • SPHINX.EXE
  • SPOOLCV.EXE
  • SPOOLSV32.EXE
  • SPYXX.EXE
  • SREXE.EXE
  • SRNG.EXE
  • SS3EDIT.EXE
  • SSGRATE.EXE
  • SSG_4104.EXE
  • ST2.EXE
  • START.EXE
  • STCLOADER.EXE
  • SUPFTRL.EXE
  • SUPPORT.EXE
  • SUPPORTER5.EXE
  • SVC.EXE
  • SVCHOSTC.EXE
  • SWEEP95.EXE
  • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SYMTRAY.EXE
  • SYSEDIT.EXE
  • SYSTEM.EXE
  • SYSTEM32.EXE
  • SYSUPD.EXE
  • TASKMO.EXE
  • TASKMON.EXE
  • TAUMON.EXE
  • TBSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS-3.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TEEKIDS.EXE
  • TFAK.EXE
  • TFAK5.EXE
  • TGBOB.EXE
  • TITANIN.EXE
  • TITANINXP.EXE
  • TRACERT.EXE
  • TRICKLER.EXE
  • TRJSCAN.EXE
  • TRJSETUP.EXE
  • TROJANTRAP3.EXE
  • TSADBOT.EXE
  • TVMD.EXE
  • TVTMD.EXE
  • UNDOBOOT.EXE
  • UPDAT.EXE
  • UPDATE.EXE
  • UPDATE.EXE
  • UPGRAD.EXE
  • UTPOST.EXE
  • VBCMSERV.EXE
  • VBCONS.EXE
  • VBUST.EXE
  • VBWIN9X.EXE
  • VBWINNTW.EXE
  • VCSETUP.EXE
  • VET32.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VFSETUP.EXE
  • VIR-HELP.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VNLAN300.EXE
  • VNPC3000.EXE
  • VPC32.EXE
  • VPC42.EXE
  • VPFW30S.EXE
  • VPTRAY.EXE
  • VSCAN40.EXE
  • VSCENU6.02D30.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSISETUP.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VSWIN9XE.EXE
  • VSWINNTSE.EXE
  • VSWINPERSE.EXE
  • W32DSM89.EXE
  • W9X.EXE
  • WATCHDOG.EXE
  • WEBDAV.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WFINDV32.EXE
  • WGFE95.EXE
  • WHOSWATCHINGME.EXE
  • WIMMUN32.EXE
  • WIN-BUGSFIX.EXE
  • WIN32.EXE
  • WIN32US.EXE
  • WINACTIVE.EXE
  • WINDOW.EXE
  • WINDOWS.EXE
  • WININETD.EXE
  • WININIT.EXE
  • WININITX.EXE
  • WINLOGIN.EXE
  • WINMAIN.EXE
  • WINPPR32.EXE
  • WINRECON.EXE
  • WINSSK32.EXE
  • WINSTART.EXE
  • WINSTART001.EXE
  • WINTSK32.EXE
  • WINUPDATE.EXE
  • WKUFIND.EXE
  • WNAD.EXE
  • WNT.EXE
  • WRADMIN.EXE
  • WRCTRL.EXE
  • WUPDATER.EXE
  • WUPDT.EXE
  • WYVERNWORKSFIREWALL.EXE
  • XPF202EN.EXE
  • ZAPRO.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • ZONALM2601.EXE
  • ZONEALARM.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • HIJACKTHIS.EXE
  • F-AGOBOT.EXE

Additionally the worm deletes the services with the following names:

  • NETSKY
  • navapsvc
  • NProtectService
  • Norton Antivirus Server
  • VexiraAntivirus
  • dvpinit
  • dvpapi
  • schscnt
  • BackWeb Client - 7681197
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • AVPCC
  • KAVMonitorService
  • Norman NJeeves
  • NVCScheduler
  • nvcoas
  • Norman ZANDA
  • PASSRV
  • SweepNet
  • SWEEPSRV.SYS
  • NOD32ControlCenter
  • NOD32Service
  • PCCPFW
  • Tmntsrv
  • AvxIni
  • XCOMM
  • ravmon8
  • SmcService
  • BlackICE
  • PersFW
  • McAfee Firewall
  • OutpostFirewall
  • NWService
  • NISUM
  • NISSERV
  • vsmon

The worm modifies the HOSTS file on infected computer so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 127.0.0.1, disabling the domain. The following domains are affected:

  • downloads-us1.kaspersky-labs.com
  • twww.avp.com
  • twww.viruslist.com
  • tviruslist.com
  • twww.symantec.com
  • tnetworkassociates.com
  • tsecure.nai.com
  • tdownloads1.kaspersky-labs.com
  • tdownloads2.kaspersky-labs.com
  • tdownloads3.kaspersky-labs.com
  • tdownloads4.kaspersky-labs.com
  • tdownloads-us1.kaspersky-labs.com
  • tdownloads-eu1.kaspersky-labs.com
  • tkaspersky-labs.com
  • twww.networkassociates.com
  • tus.mcafee.com
  • tf-secure.com
  • tavp.com
  • twww.sophos.com
  • tsophos.com
  • twww.ca.com
  • tca.com
  • tsecurityresponse.symantec.com
  • tsymantec.com
  • tmast.mcafee.com
  • tmy-etrust.com
  • twww.kaspersky.com
  • twww.f-secure.com
  • tdispatch.mcafee.com
  • tupdate.symantec.com
  • tnai.com
  • twww.nai.com
  • tliveupdate.symantec.com
  • tcustomer.symantec.com
  • trads.mcafee.com
  • ttrendmicro.com
  • tliveupdate.symantecliveupdate.com
  • twww.mcafee.com
  • tmcafee.com
  • tviruslist.com
  • twww.my-etrust.com
  • tdownload.mcafee.com
  • tupdates.symantec.com
  • tkaspersky.com
  • twww.trendmicro.com

Interesting thing is that the worm enables Registry tools and firewalls on a computer where it is present. But to hide its activities the worm adds its file name to the authorised applications list. As a result the worm's actions does not trigger firewall alerts.

Limited Lifecycle

The worm has a limited lifecycle. After 3rd of February 2005, 00:05 the worm creates the following Registry key value:

  • [HKLM\SOFTWARE\Microsoft\Internet Explorer] "Mshdfgq"

and then deletes its service, installed file and terminates its process.