TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_MYDOOM.BB
Overview
Solution

Malware type: Worm

Aliases: W32.Mydoom.AX@mm(Symantec), W32/MyDoom-O(Sophos), Email-Worm.Win32.Mydoom.am(Kaspersky), Worm/Mydoom.BB(Avira), W32/Mydoom.AY@mm(F-Prot), W32/Mydoom.bb@MM(McAfee)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP, 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

As of February 16, 2005, 05:31 PM (GMT - 08:00, Pacific Standard Time) Trendlabs received numerous reports of new samples of the mass mailer WORM_MYDOOM.M, rapidly spreading in Singapore and in the U.S. Earlier samples of this worm are known to be compressed using UPX. However, new samples received by Trend Micro have been found to be compressed using MEW. These new samples are now detected as WORM_MYDOOM.BB.

To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_MYDOOM.BB Behavior Diagram

Malware Overview

WORM_MYDOOM.BB is similar to WORM_MYDOOM.M in almost all aspects. Like earlier variants, this worm spreads via email through SMTP (Simple Mail Transfer Protocol), gathering target recipients from the Windows Address Book, the Temporary Internet Files folder, and certain fixed drives. Notably, it skips email addresses that contain certain strings.

When it finds an email address, it gets the domain name of that email address and queries the following search engines to search for email addresses in the same domain:

  • http://search.lycos.com
  • http://www.altavista.com
  • http://search.yahoo.com
  • http://www.google.com

It does this to gather more and more addresses to spam.

Using social engineering techniques, this worm sends out an email with a spoofed sender's name and poses as a failure delivery notification.

Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.

The email message it sends has varying subjects, message bodies, and attachment file names. For specific details about this worm's email message, please click here.

Apart from simply spreading via email, this worm also carries backdoor functionalities that leaves the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens TCP port 1034 and waits for outside connections. This routine virtually hands over control of the affected machine to a remote attacker.

Moreover, this worm also downloads and executes a backdoor program from a specific Web site. Trend Micro detects this backdoor program as BKDR_SURILA.O.

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb. 16, 2005 6:04:57 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.