What is Mydoom?
1.
This is a mass-mailing worm that arrives in an email message as follows:
-The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
-The message contains Unicode characters and has been sent as a binary attachment.
-Mail transaction failed. Partial message is available.
From: (spoofed)
Subject: (Random)
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment: (varies .exe, .pif, .cmd, .scr - often arrives in a ZIP archive) (22,528 bytes)
When this file is run it copies itself to the local system with the following filenames:
-c:Program FilesKaZaAMy Shared Folderactivation_crack.scr
-%SysDir% askmon.exe
-(Where %Sysdir% is the Windows System directory, for example C:WINDOWSSYSTEM)
It also uses a DLL that it creates in the Windows System directory:
-%SysDir%shimgapi.dll (4,096 bytes)
It creates the following registry entry to hook Windows startup:
-HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRun "TaskMon" = %SysDir% askmon.exe
The worm opens a connection on TCP port 3127 suggesting remote access capabilities
Indications of Infection:
-Upon executing the virus, Notepad is opened, filled with nonsense characters.
-Existence of the files and registry entry listed above
This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.
The mailing component harvests address from the local system. Files with the following extensions are targeted:
.wab, .adb, .tbb, .dbx, , , .sht, , .txt
Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses.
:{ Aw, you have Mydoom virus :{