Subscribe0 0
This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate. It is approximately 35KB in size, compressed using UPX. The size of the decompressed file is approximately 43 KB. Installation On launching, the worm copies itself to the Windows system directory under the name intrenat.exe and registers this file in the system registry auto-run key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gremlin" = "%system%\intrenat.exe"The worm extracts a file named sync-src-1.00.tbz from itself, and copies this file to the root directory, the Windows directory, the Windows system directory and to user directories in Documents and Settings.
This file is a tar archive which contains the full source text of I-Worm.Mydoom.a
The worm creates the unique identifier sync-Z-mtx_133 to show its presence in memory. Propagation To propagate, the worm utilizes computers infected by Mydoom.a and Mydoom.b The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands. If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself. The backdoor component of Mydoom accepts the file and executes it.
In order to choose IP addresses to attack, the worm uses the following formula: (A.B.C.D)
The first value in the address (A) is selected from the following list:
3 4 6 8 9 11 12 13 14 15 16 17 18 19 20 21 22 24 25 26 28 29 30 32 33 34 35 38 40 43 44 45 46 47 48 49 50 51 52 53
54 55 56 57 61 62 63 64 65 66 67 68 80 81 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 193 194
195 196 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239
Hot Articles