• SecureWorks Research
• Counter Threat Unit^SM
• Threat Analyses
• Research Blog
• Newsletter
• Webcasts
• Security Tools
• Articles
• Security

• Home
• Research
• Threat Analyses
• MyDoom.C Analysis

MyDoom.C Analysis

• URL: http://www.secureworks.com/research/threats/mydoom-c
• Date: February 9, 2004
• Author: Joe Stewart

MyDoom.C has been discovered in the wild by SecureWorks' research team. There are some changes to the code which make it quite unlike the previous two variants.

Update:

Most AV firms are now calling this variant "Doomjuice" due to substantial differences from the original MyDoom, most notably the fact that it is not a mass-mailer. Naming conventions aside, MyDoom.C/Doomjuice is definitely an offshoot of the original MyDoom code and is likely by the same author.

• No more ROT13 encryption - Instead of ROT13, the author has moved to "string construction" methods of obfuscation. This means that each important string is assembled one letter at a time as the program runs. This eliminates the ability of non-experts to retrieve the string data with trivial programs such as the Unix "strings" and "rot" commands.
• No more spreading via email or KaZaA - MyDoom.C does not have an SMTP component. It spreads only by infecting machines previously infected by MyDoom.A. Because of this fact and the fact that there are other worms and mass-rooters in the wild currently exploiting the MyDoom.A backdoor, MyDoom.C is not expected to be widespread.
• The source code for MyDoom.A is included - Embedded in MyDoom.C is a compressed archive containing the source code for MyDoom.A. This code is dropped onto the root directory of each drive as well as the Windows,system and temp directories of each infected system. This is particularly disturbing, as it allows for future variants to be created by any would-be malware writers who manage to get a copy.
• The buggy date-comparison routine has been fixed - The author has realized the error in the date comparison for the DoS attack time, and has switched to a different method to compare dates.
• www.sco.com no longer a target - MyDoom.C still attempts to attack www.microsoft.com.
• MyDoom.C no longer contains a proxy/backdoor DLL - The only embedded code is now the source code file. This may be an indication that the author is discontinuing development of MyDoom, instead passing it along to other miscreants to finish.
• MyDoom.C has no expiration date - The only date calculations in the code are for when to start the DoS attack against Microsoft. The DoS and spreading threads will continue indefinitely.

Technical Details

MyDoom.C creates a mutex named sync-Z-mtx_133 to ensure only one copy is running in memory at a time.

MyDoom.C copies itself to the Windows system directory as intrenat.exe. It installs the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin which executes the intrenat.exe file at each boot.

If started on or between Feb. 8 and Feb. 12, MyDoom.C will start a thread which sleeps for a random period of time, then spawns 80 threads which all repeatedly request a page from www.microsoft.com. If started on Feb. 12 and after, the DoS threads are created with no delay.

Removal

Kill the running intrenat.exe process using the Windows task manager, then remove the associated registry key. Note that MyDoom.C does not remove MyDoom.A, so you should follow published removal instructions for MyDoom.A as well.

Online Tools

Info Request