MyDoom.am

Jan 25 2005

MyDoom.AM is a mass-mailing email and P2P filesharing worm that modifies the HOSTS file to prevent infected users from accessing certain antivirus vendor sites. The worm modifies the existing HOSTS file so that attempts to access a large number of antivirus vendor sites are redirected to the local loopback address (127.0.0.1). The worm also spreads via P2P networks, attempts to shutdown processes associated with other worms, and prevents users from accessing the Task Manager. Each time an infected user tries to open Task Manager, the worm will close it.
Email characteristics
As with most modern email worms, the From address used in the MyDoom.AM email is spoofed. This may result in bounce messages being sent to persons who neither sent the worm nor are infected with it.

The Subject line of the MyDoom.AM email may be blank, or it may contain random text, or it may be any one of the following: 'Hello', 'Status', 'Good day', 'Do not reply to this email', 'Mail Delivery System', 'Attention!!!', 'Mail Transaction Failed', 'Server Report', 'Error'

The attachment will be named one of the following: 'data', 'document', 'message', 'readme', 'doc', 'docs', 'rules', 'body' and will have one of the following extensions: 'bat', 'cmd', 'exe', 'pif', 'scr', or 'zip'.

The message body of the MyDoom.AM email may be one of the following:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted. This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center

Here is your documents you are requested.

Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
2004 Networks Associates Technology, Inc. All Rights Reserved

New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment.
Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
Thank you,
The World Bank Group
2004 The World Bank Group, All Rights Reserved

Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.
It's a real good choise to go to WORLDXXXPASS.COM

P2P characteristics
MyDoom.AM also drops copies of itself to shared folders related to the eDonkey, Kazaa, Morpheus, iMesh and LimeWare P2P networks. The filenames used are:

activation_crack
ad-awareref01R249
adultpasswds
avprokey
icq2004-final
K-LiteCodePack2.34a
NeroBROM6.3.1.27
winxp_patch
winamp5
porno
Ad-awref01R349
The file extension will be either 'bat', 'exe', 'pif', or 'scr'.

Infection routine
When MyDoom.AM is executed, it first launches a Notepad file containing garbage text. Behind the scenes, MyDoom.AM drops a copy of itself to the Windows system directory. The dropped file is named LSASRV.EXE. MyDoom.AM then modifies the HKLM..\Run key to load this file when Windows starts.

Because the worm interferes with the use of Task Manager, manual removal might best be affected through the use of a tool such as HijackThis.