W32/MyDoom-AO is a mass-mailing and peer-to-peer worm which emails itself as an attachment to addresses found on the infected computer.
W32/MyDoom-AO will attempt to copy itself to peer-to-peer folders of KaZaa, Morpheus, iMesh, eDonkey2000 and LimeWire.
W32/MyDoom-AO may also create a file hserv.sys in the Windows system folder. This file is non-malicious and can be safely deleted.
W32/MyDoom-AO is a mass-mailing and peer-to-peer worm which emails itself as an attachment to addresses found on the infected computer.
When run the W32/MyDoom-AO will launch notepad with garbage which serves as a decoy.
When first run the worm copies itself to the Windows system folder as lsasrv.exe and creates the following registry entry so as to auto-start on computer reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lsass
%SYSTEM%\lsasrv.exe
On Windows 2000 and Windows XP systems the worm will also modify the Explorer shell association by changing the following registry entry from:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer
to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer %SYSTEM%\lsasrv.exe
W32/MyDoom-AO may also create a file hserv.sys in the Windows system folder. This file is non-malicious and can be safely deleted.
W32/MyDoom-AO will attempt to copy itself to peer-to-peer folders of KaZaa, Morpheus, iMesh, eDonkey2000 and LimeWire using the following filenames (with an extension chosen from: PIF, SCR, EXE OR BAT):
NeroBROM6.3.1.27
avpprokey
Ad-awareref01R349
winxp_patch
adultpasswds
dcom_patches
K-LiteCodecPack2.34a
activation_crack
icq2004-final
winamp5
The worm also attempts to remove previous startup registry entries of other malware which may be installed, terminate various anti-virus and security applications and prevent access to related websites by modifying the HOSTS file with the following entries:
127.0.0.1 grisoft.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
W32/MyDoom-AO will harvest email addresses from files found on the infected computer with the following extensions:
WAB PL ADB TBB DBX ASP EDM VBS WML JS TPL CONF VB CSP ASM ASC ASA DWT LBI RDF RSS XST XSD DLT XML JSP INC SSI STM XHT HTC HTA CGI PHP SHT HTM TXT
Emails generated by the worm have the following characteristics:
Subject line chosen from:
Good day
Do not reply to this email
hello
Mail Delivery System
Attention!!!
Mail Transaction Failed
Server Report
Status
Error
Message body is one of:
"Mail transaction failed. Partial message is available."
"The message contains Unicode characters and has been sent as
a binary attachment."
"The message cannot be represented in 7-bit ASCII encoding and
has been sent as a binary attachment."
"Do not visit these sites!!!"
"You have visited illegal websites.
I have a big list of the websites you surfed."
"You think it's funny? You are stupid idiot!!! I'll send
the attachment to your ISP and then I'll be watching
how you will go to jail, punk!!!"
"Your credit card was charged for $500 USD. For additional in
formation see the attachment"
"ESMTP [Secure Mail System #334]: Secure message is attached."
"Encrypted message is available."
"Delivered message is attached."
"Can you confirm it?"
"Binary message is available."
"am shocked about your document!"
"Are you a spammer? (I found your email on a spammer website!?!"
"Bad Gateway: The message has been attached."
"Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash"
spreading very fast via e-mail and P2P networks. It's about
two million people infected and it will be more.
To avoid your infection by this virus and to stop it we
provide you with full information how to protect yourself
against it and also including free remover. Your can find it
in the attachment.
2004 Networks Associates Technology, Inc. All Rights Reserved"
"New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a
credit cards for making purchase in the Internet in the attachment.
Please, read it carefully. If you are not agree with new terms
and conditions do not use your credit card in the World Wide Web.
Thank you,
The World Bank Group
2004 The World Bank Group, All Rights Reserved"
"Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the
attachment file. It's a real good choise to go to
WORLDXXXPASS.COM"
"Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was
a fraud attempt logged by The Internet Fraud Complaint Center from
your IP. This is a serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged
and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation
and the National White Collar Crime Center"
"Here is your documents you are requested."
Attachment filename is chosen from the following and can take one of these extensions (pif, scr, exe, cmd, bat, zip):
document
readme
doc
rules
file
data
docs
message
body