Email-Worm.Win32.Mydoom.u
Po uruchomieniu robak kopiuje si臋 do foldera WindowsSystem z nazw膮 windrv32.exe i tworzy dla tej kopii klucz auto-run w rejestrze systemowym, co zapewnia mu uruchamianie wraz z ka偶dym startem systemu operacyjnego:
"WinSPF" = "%WinSysDir%windrv32.exe"
Adresy potencjalnych ofiar pobierane s膮 z systemowej ksi膮偶ki adresowej oraz z plik贸w posiadaj膮cych nast臋puj膮ce rozszerzenia:
asp cfg cgi dbx dht eml htm jsp mht msg php sht stm tbb txt uin vbs wab xls
W celu wysy艂ania wiadomo艣ci robak nawi膮zuje bezpo艣rednie po艂膮czenie z serwerem SMTP odbiorcy.
- Imi臋 nadawcy (wybierane z poni偶szych mo偶liwo艣ci):
Alex Alexander Andrew Anthony Barry Bernard Bill Brian Calvin Carl Charles Christopher Clifford Daniel David Dennis Donald Douglas Edward Eric Francisco Frank Gary George Gregory Harold Henry James Jason Jay Jeffrey Jerry Jim John Jon Jose Joseph Joshua Kenneth Kevin Larry Leon Leroy Lloyd Marcus Mario Mark Matthew Michael Miguel Oscar Patrick Paul Peter Randall Raymond Richard Ricky Robert Ronald Ronnie Scott Stephen Steven Theodore Thomas Timothy Tom Tommy Troy Walter William
- Nazwisko nadawcy (wybierane z poni偶szych mo偶liwo艣ci):
Adams Allen Anderson Baker Brown Campbell Carter Clark Cruz Davis Freeman Garcia Gomez Gonzalez Green Hall Harris Hernandez Hill Jackson Johnson Jones King Lee Lewis Lopez Marshall Martin Martinez Miller Mitchell Moore Murray Nelson Ortiz Parker Perez Phillips Porter Roberts Robinson Rodriguez Scott Simpson Smith Stevens Taylor Thomas Thompson Tucker Turner Walker Webb Wells White Williams Wilson Wright Young
- Temat (wybierany z poni偶szych mo偶liwo艣ci):
hello here hi Hi! important Information my News Notice again Private document Re: Hello Re: Hi Re: Message Re: Proof of concept Re: Question Re: Status Re: Your document read it immediately Thank you! thanks! You win!
- Tre艣膰 (wybierana z poni偶szych mo偶liwo艣ci):
apply patch. apply this patch! Can you confirm it? For further details see the attachment.... For more details see the attachment. fun game! fun photos fun! game I have attached document. lol! Monthly news report. New game Please answer quickly! Please confirm the document. Please confirm! Please read the attached file! Please read the attached file. Please read the document. Please read the important document. Please see the attached file for detail... relax screensaverlol! See attached file for details. See the file. See the file. Thanks! Thanks! Virus removal tool Waiting for a Response. Please read the... You are infected by virus. Run this exe... Your archive is attached. Your requested mail has been attached.
- Podpis:
+++ Attachment: No Virus found +++ %X%
gdzie symbol %X% zast臋powany jest jednym z poni偶szych tekst贸w:
Bitdefender AntiVirus - www.bitdefender.com F-Secure AntiVirus - www.f-secure.com Kaspersky AntiVirus - www.kaspersky.com MC-Afee AntiVirus - www.mcafee.com MessageLabs AntiVirus - www.messagelabs.com Norman AntiVirus - www.norman.com Norton AntiVirus - www.symantec.de Panda AntiVirus - www.pandasoftware.com
- Nazwa za艂膮cznika (wybierana z poni偶szych mo偶liwo艣ci):
bill.doc.pif bill.rtf.pif bill.txt.pif doc.doc.pif doc.rtf.pif doc.txt.pif document.doc.pif mesg.doc.pif mesg.rtf.pif mesg.txt.pif Message.html.pif rep.txt.pif report.doc.pif report.rtf.pif report.txt.pif review.doc.pif review.rtf.pif review.txt.pif antivirus.exe bill.zip data.zip details.zip doc.zip doc.zip document.zip file.exe file.zip fun.scr game.exe info.zip information.zip letter.zip lol.scr message,.zip new.exe new.zip patch.exe photo.exe pic.exe report.zip
Robak wyposa偶ony jest w funkcj臋, kt贸ra podejmuje pr贸by pobierania z Internetu backdoora
20 wrze艣nia 2004 o godzinie 1:18:31 robak przestaje funkcjonowa膰 i usuwa w艂asne pliki z dysku twardego.
W32/Mydoom.w@MM (McAfee), W32.Mydoom.T@mm (Symantec), W32/MyDoom-V (Sophos), Win32/Mydoom.Y@mm (RAV), Worm/MyDoom.U.3 (H+BEDV), W32/Mydoom.T@mm (FRISK), Win32:Mydoom-S2 (ALWIL), I-Worm/Mydoom.U (Grisoft), Win32.Mydoom.V.3@mm (SOFTWIN), Worm.Mydoom.W (ClamAV), W32/Mydoom.W.worm (Panda)