WinMydoomVmm Free Removal tool description
Free Removal tool for Win32.Mydoom.V@mm virus

Symptoms: Presence of files Documents and SettingsAdministratorStart MenuProgramsStart@mm virus

Symptoms: Presence of files Documents and SettingsAdministratorStart MenuProgramsStartuprx32hh00.exe and %SYSTEM%winspf32.exe.
Presence of a file tmp*.tmp with a size of 234496 bytes.

Presence of registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunWinSPF = %SYSTEM%winspf32.exe.

HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsVersion = FrankenShteiN
HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsVersion = FrankenShteiN

HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet

Settings5.0User Agent
HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent

This is a mass-mailer that also drops a backdoor. The file is downloaded from one the following urls:

“http://www.llc.unibo.it”
“http://www.surrenderzeeland.nl”
“http://www.mercyships.de”
“http://www.hiw.kuleuven.ac.be”
“http://www.ach.ch”
“http://vugs.geog.uu.nl”
“http://www.planetboredom.net”

and is downloaded to a temporary file ( with a temporary name ). This file’s size is 234496 bytes.

It seems that there are more versions of this worm, which are just recompilations of the same source.

The worm creates a mutex called ‘qwedefacedRDE’. It uses threads for searching for e-mail addreses in the following file types: wab,xls,vbs,uin,txt,tbb,stm,sht,php,msg,mht,jsp,htm,eml,dht,dbx,cgi,cfg,asp.

It sends mail using it’s own SMTP engine.

External Mirror 1




Author:
admin
Time:
Sunday, March 30th, 2008 at 1:30 am
Category:
AntiVirus
Comments:
You can leave a response, or trackback from your own site.
RSS:
You can follow any responses to this entry through the RSS 2.0 feed.
Navigation:
« WinCleaner Antivirus 8.00 Download
BitDefender RootkitUncover 1.0 Beta 2 Download »

Leave a Reply