W32/MyDoom-Y is a mass-mailing internet worm for the Windows platform.
When executed W32/MyDoom-Y will attempt to connect to the URL
http://www.microsucks.com.
After 1am 01 December 2004 W32/MyDoom-Y will shut down the machine whenever it is started.
W32/MyDoom-Y is a mass-mailing internet worm for the Windows platform.
When executed W32/MyDoom-Y will attempt to connect to the URL
http://www.microsucks.com.
W32/MyDoom-Y will then copy itself to the default SYSTEM folder as the file SYSHOSTS.EXE and will set one of the following registry entries to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS Updates
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MS Updates
The registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SYSHOSTS
will be created to act as an infection marker for the worm.
W32/MyDoom-Y will attempt to send itself as an email attachment to messages
with the following characteristics:
Subject: This field will be either "album" or "You've got a virtual postcard!"
Body: This field will either be
"My pics...*sexy*. Heheh! ;)"
or
"You have just received a new postcard from Fleshecard.com!
From: <sender name>
To pick up your postcard follow this web address
http://www.flashecard.com.viewcard.main.ecard.php2342
or click the attached link. We hope you enjoy your postcard, and if
you do, please take a moment to send a few yourself!
http://www.flashecard.com
(Your message will be available for 30 days.)
Please visit our site for more information."
Attachment: the attachment name will either be "Photos_album" or
"www.flashecard.com?postcard=viewcard?download" followed by either one of
the extensions SCR or HTML.SCR
W32/MyDoom-Y will reference the registry entry
HKCU\Software\Microsoft\WAB\WAB4\WAB File Name
to obtain the windows address book file it will then attempt to send itself to all contacts listed in the file before searching files with the following extensions found in the Temporary Internet Files folder:
htmb
htmbl
shtl
phpq
emll
msgq
aspd
dbxn
tbbg
adbh
wab
W32/MyDoom-Y will not send emails out to addresses that include any of the following strings in their names:
syma
msn
hotmail
anda
opho
borlan
npris
xample
mydom
@domai
ruslis
.gov
.mil
@foo
berkley
unix
math
bsd
mit.e
gnu
fsf
ibm
oogle
kernel
linux
fido
senet
@iana
ripe
isi.e
arin
rfc-ed
isc.o
ecur
acketst
pgp
tanford.e
utgers.ed
ample
info
root@
ostmaster@
ebmaster@
you
ugs@
ating@
ontact@
soft
rivacy
ervice
help
ubmit@
feste
cert
page
upport
ntivi
istser
ertific
ccoun
spm
Spam
SPAM
spam
abuse
cafee
@messagelab
@avp
kasp
winzip
winrar
pdate
irus
ahoo
buse@
sale
W32/MyDoom-Y will spoof the sender's email address to appear to have originated from any of the following domains:
@aol.com
@hotmail.com
@yahoo.com
@msn.com
@excite.com
@mail.com
The sender's name will be selected at random from the list:
Jennifer
Barbara
Linda
Susan
Eric
Kevin
Mary
Robert
John
Maria
Alex
Pamela
Anna
Andrew
Fred
Jack
James
Julie
Debby
Claudia
Matt
Brent
W32/MyDoom-Y will attempt to terminate any running processes found which include the following strings as part of their name:
task
msconfig
AV
MC
ieframe
nti
iru
ire
cc
ecu
can
scn
kv
fr
regedit
W32/MyDoom-Y will create a Mutex with the label hola_back_bitches.
After 1am 01 December 2004 W32/MyDoom-Y will shut down the computer whenever it is started.