W32/Mydoom.AE Worm

 Information about the W32/Mydoom.AE Worm:

W32/Mydoom.AE is an email worm. This worm is a variant of W32/Mydoom. The worm will infect Windows systems. The worm spreads through email and KaZaA P2P software.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The worm arrives with any one of the following subject:

Warning
read now!
Re:Information
Details
Re:Warning
Announcement
Re:Notification
Fw:Information
Re:Important
Re:Details
Fw:Important
Notification
Information
Fw:Notification
Re:Document
Important
Fw:Warning
Fw:Document
Document

The body of the infected mail will be any one of the following:

here is the document.
Please see the attached file for details
See the attached file for details
Details are in the attached document.
your document.
Reply
Please see the attached file for details.
Waiting for a Response. Please read the attachment.
Please confirm!.
Please answer quickly!.
Monthly news report.
Kill the writer of this document!
Please read the attached file!.
Important Information.
Daily Report.
Check the attached document.

The name of the infected attachment will be any one of the following:

report
file
text
notes
document
letter
archive
news
msg
note
attachment
check
message
list
information
error
data

The first extension of the infected attachment will be doc. The second extension of the infected attachment will be any one of the following:

.cpl, .pif, .scr.

Upon execution, the worm copies AVPR.EXE and TCP5424.DLL in the Windows System folder.

It alters the windows registry at the following location to load itself during next startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CLASSES_ROOT\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

The DLL file acts as a Backdoor,  which opens a connection on TCP ports 5424, 5425 and 5426.

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system:

wsh, xml, wab, vbs, txt, uin, html, eml, sht, pl, msg, mdx, mbx, xls, cfg, jsp, cgi.

The worm emails itself to these addresses using its own SMTP engine. The worm avoids sending itself to the email addresses that contain any of the following strings:

usenet
unix
the.bat
tanford.e
utgers.ed
syma
webmaster
submit
spam
support
your
sendmail
abuse
someone
-._!@
somebody
site
sopho
service
samples
ruslis
root
ripe.
rfc-ed
secur
rating
postmaster
mozilla
panda
soft
page
ntivi
privacy
nothing
noone
nodomai
isi.e
nobody
mydomai
mit.e
math
listserv
linux
isc.o
icrosof
inpris
info
ietf
fsf.
icrosoft
ibm.com
iana
help
gov.
google
gold-certs
foo.
fido
-._!
feste
borlan
example
admin
.mil
ernel
contact
certific
arin.
bugs
berkeley
be_loyal:
.edu
anyone
.gov
acketst

The worm alters the hosts file and deny connection to antivirus and security related sites. The backdoor component of the worm tries to download an infected file from www.freewebs.com.

This worm first appeared on 17th October, 2004.

 Other names of W32/Mydoom.AE Worm:

This Worm is also known as W32.Mydoom.AF@mm, W32/Mydoom.ae@MM, I-Worm.Mydoom.aa, Win32.Mydoom.AD.