This worm spreads via the Internet as an attachment to infected messages,
via file sharing networks and open network resources. The worm sends itself to email
addresses harvested from infected machines. The worm also contains a backdoor function.
The worm itself is a Windows PE EXE file approximately 21 KB in size.
Installation
During installation the worm copies itself as "lsass.exe" to the Windows
root directory, for example:
C:\WINDOWS\lsass.exe
The worm then registers this file in the system registry as a key to
enable autorun:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Traybar = %WinDir% \LSASS.EXE
This ensures that the worm will be launched each time the system is
rebooted.
The worm searches the computer for folders where the name contains the
following words:
download
ftproot
incoming
Share
and copies itself several times to each folder found, under the following
names:
Harry Potter
ICQ 4 Lite
index
Kazaa Lite
Winamp 5.0 (en)
Winamp 5.0 (en) Crack
WinRAR.v.3.2.and.key
The files will have one of the following extensions:
com
exe
scr
ShareReactor.com
Propagation
In order to find email addresses to send infected messages to, Mydoom.l
searches for files with the following extensions:
doc
htm
html
txt
and harvests email addresses found in these files. The worm uses the
recipient's SMTP server to send email messages to all of the harvested addresses.
Infected messages
Sender's address
The sender's address is spoofed, using one of the email addresses
harvested from the system.
Subject (chosen at random from the following list):
click me baby, one more time
delivery failed
Delivery reports about your e-mail
error
hello
hi
Mail System Error - Returned Mail
Message could not be delivered
report
Returned mail: Data format error
Returned mail: see transcript for details
say helo to my litl friend
status
test
Message body (chosen at random from the following list):
The original message was included as attachment
This Message was undeliverable due to the following reason:
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within [ ] days:
Host $i is not responding.
The following recipients did not receive this message:
<[ ]>
Please reply to postmaster@[ ]
if you feel this message to be in error.
The original message was received at [ ]
from [ ]
----- The following addresses had permanent fatal errors -----
<[ ]>
----- Transcript of session follows -----
while talking to [ ].:
>>> MAIL From:[ ]
<<< 501 [ ]... Refused
The original message was received at $w
from [ ]
----- The following addresses had permanent fatal errors -----
<[ ]>
Attachment name (chosen at random from the list below):
<blank>
attachment
document
file
letter
mail
message
readme
text
transcript
with one of the following extensions:
bat
cmd
com
exe
pif
scr
zip
Remote Administration
The backdoor in Mydoom.l opens and then monitors TCP port 1042 in order
to receive remote commands.
Check out if we have free
removal tool for this virus
