W32.Doomhunter

Discovered on: February 12, 2004
Last Updated on: February 14, 2004 03:58:39 PM

W32.Doomhunter is a worm that attempts to spread to the machines that are infected with W32.Mydoom@mm variants.



Type: Worm
Infection Length: 5,120



Systems Affected: Windows 2000, Windows XP

When W32.Doomhunter runs, it does the following:


Copies itself as %System%\worm.exe.


--------------------------------------------------------------------------------
Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
--------------------------------------------------------------------------------


Adds the value:

"Delete Me"="worm.exe"

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows®.


Deletes the default value in the registry key:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32


--------------------------------------------------------------------------------
Note: W32.Mydoom.A@mm and W32.Mydoom.B@mm modify this key
--------------------------------------------------------------------------------


Displays various messages when running, such as the following examples:

http://securityresponse.symantec.com/avcenter/graphics/w32.doomhunter.1.gif

http://securityresponse.symantec.com/avcenter/graphics/w32.doomhunter.2.gif

Note: All the messages have "Mydoom removal worm (DDOS the RIAA!!)" in the title bar.
--------------------------------------------------------------------------------


Terminates the following processes, which the worms W32.Mydoom.A@mm, W32.Mydoom.B@mm, W32.Blaster.Worm, and W32.Blaster.C.Worm, may create:

SHIMGAPI.DLL
CTFMON.DLL
REGEDIT.EXE
TEEKIDS.EXE
MSBLAST.EXE
EXPLORER.EXE
TASKMON.EXE
INTRENAT.EXE


--------------------------------------------------------------------------------
Note: All the Windows operating systems have a legitimate system process titled explorer.exe.
--------------------------------------------------------------------------------


Deletes the following files from the System folder, which are associated with the worms W32.Mydoom.A@mm, W32.Mydoom.B@mm, W32.Blaster.Worm, and W32.Blaster.C.Worm:

SHIMGAPI.DLL
CTFMON.DLL
REGEDIT.EXE
TEEKIDS.EXE
MSBLAST.EXE
EXPLORER.EXE
TASKMON.EXE
INTRENAT.EXE


--------------------------------------------------------------------------------
Notes:
The legitimate system file explorer.exe exists in the %Windir% folder on all the Windows systems.
%Windir% is a variable for the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------


Listens on TCP port 3127.

--------------------------------------------------------------------------------
Note: Port 3127 is the port that the backdoor component of W32.Mydoom.A@mm opened.
--------------------------------------------------------------------------------


If the connection is established, the worm first sends five bytes to the remote computer. Then, it sends a copy of itself to the remote computer. The backdoor component of W32.Mydoom.A@mm will accept the file and then execute it.

[http://securityresponse.symantec.com/avcenter/venc/data/w32.doomhunter.html/url]