W32/Mydoom.AH Worm

 Information about the W32/Mydoom.AH Worm:

W32/Mydoom.AH is an email worm. This worm is a variant of W32/Mydoom. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be blank or any one of the following:

Confirmation
Hi!
hey!

The body of the infected mail will be any one of the following:

Body 1:

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

Body 2:

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my with my weblog and last webcam photos!
See you!

Body 3:

PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal.

The infected email contains a hyperlink which, targets to a webpage running in the infected machine which has sent the infected email. Upon viewing the webpage, the worm exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515) and drops a worm file <variable string>32.exe to Windows System folder of the victim machine.

It also alters the windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm opens tcp port 6667 and connects to few IRC servers in its pre-configured list.

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

.wab .txt .tbb .sht .pl .php .htm .dbx .asp .adb.

The worm emails itself to these addresses using its own SMTP engine.

The worm avoids sending itself to email addresses which contains following strings:

webmaster
utgers.ed
usenet
the.bat
tanford.e
support
submit
sopho
someone
somebody
service
sendmail
secur
samples
ruslis
ripe.
rfc-ed
rating
privacy
postmaster
panda
ntivi
nothing
noone
nodomai
nobody
mydomai
mozilla
mit.e
listserv
linux
kernel
isi.e
isc.o
inpris
icrosoft
icrosof
ibm.com
hotmail
google
gold-certs
feste
example
contact
certific
borlan
be_loyal:
berkeley
arin.
anyone
admin
acketst
accoun

This worm first appeared on 8th November, 2004.

 Other names of W32/Mydoom.AH Worm:

This Worm is also known as WORM_MYDOOM.AH, W32.Mydoom.AH@mm, W32/Mydoom.ah@MM.