Win32.HLLM.MyDoom.44544

Description

Win32.HLLM.MyDoom.44544 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems/ Its executable module is packed with UPX. The packed size of the worm is 44, 544 bytes.

Launching

To secure its automatic execution at every Windows startup the worm modifies the registry key:
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
"SVHOST" = "%SysDir%\SVHOST.EXE"

Spreading

the worm mass disseminates via e-mail using its own SMTP engine. It retrieves addresses from files with the following extensions:

     adb
     asp
     dbx
     htm
     php
     sht
     tbb
     wab       

The sender’s name contains a proper name written with small letter and may be, for example, alex, john or sam
Subject:

    
     test 
     hi 
     hello 
     Mail Delivery System 
     Mail Transaction Failed 
     Server Report 
     Status 
     Error
            

Message body:

     test
     Mail transaction failed. Partial message is available. 
     The message contains Unicode characters and has been sent as a binary attachment. 
     The message cannot be represented in 7-bit ASCII encoding and has 
been sent as a binary attachment. 
     

The attachment may have two extensions, the first of which is .doc, .htm or .txt, and the second is .cmd, .exe, .pif , .scr or .zip.
Its name is chosen from the following list:

     body 
     data 
     doc 
     document 
     file 
     message 
     readme 
     test 
     text
     
                 

Action

Being executed, the worm runs application NotePad and opens a file called Message, created in the Temp folder. The file contains a random garbage.
The worm copies itself to the WindowSystem folder (in Windows 9x/ME it’s C:\Windows\System, in Windows NT/2000 it’s C:\WINNT\System32, in Windows XP it’s C:\Windows\System32) as SVHOST.EXE.

The worm deletes the value TaskMon from the key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\