Symptoms:
Presence of the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
with the following value:
%WINDIR%\java.exe
Presence of the following files:
%WINDIR%\java.exe
%WINDIR%\services.exe
The port 1034 is listening for incoming connections.
Technical description:
This is an internet worm that spreads trough e-mail.
When it is run it adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
with the following value:
%WINDIR%\java.exe
It copies itself to %WINDIR%\java.exe
where %WINDIR% is a variable representing the Windows directory.
It drops the following file:
%WINDIR%\services.exe, that is detected by BitDefender as Backdoor.Mydoom.M
It tries to terminate some programs that have windows with the following names:
rctrl_renwnd32
ATH_Note
IEFrame
It searches for mail addresses in the default Windows Address Book, then looks into the Temporary Internet Files and then scans all the disks on the machine, looking for files that have the extension starting with pl, ph, tx, asp, dbx, wab etc.
It sends mail with the sender one of "Postmaster", "Mail Administrator", "Automatic Email Delivery Software", "Post Office", "The Post Office", "Bounced mail", "Returned mail", "MAILER-DAEMON", "Mail Delivery Subsystem".
The mail has the subject one of: "hello", "hi", "error", "status", "test", "report", "delivery failed", "Message could not be delivered", "Mail System Error - Returned Mail", "Delivery reports about your e-mail", "Returned mail: see transcript for details", "Returned mail: Data format error" etc.
The attachment's name is one of "readme", "instruction", "transcript", "mail", "letter", "text", "file", "attachment",
"document", "message" with the extension in "cmd", "bat", "com" , "exe", "pif", "scr". It sometimes has ".zip" after the normal extension.
The mail is constructed based on a template. The worm parses the template and generates a very large number of possible bodies. The rule is very simple, it just picks one of the options separated by |.
For instance, for the string "{We have {detected|found|received reports} " it can generate "We have detected" or "We have found" or "We have received reports" .
Also , there are some variables that have $ in front of them, and they are filled with data at runtime . For instance, $t is the name of the domain.
The template is this:
Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{$T {user |technical |}support team.|The $T {support |}team.}
Your message {was not|could not be} delivered because the destination {computer|server} was
{not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message {was not|could not be} delivered within $D days:
{{{Mail s|S}erver}|Host} $i is not responding.
The following recipients {did|could} not receive this message:
<$t>
Please reply to postmaster@{$F|$T}
if you feel this message to be in error.
| }from {$F [$i]|{$i|[$i]}}
----- The following addresses had permanent fatal errors -----
{<$t>|$t}
{----- Transcript of {the ||}session follows -----
... while talking to {host |{mail |}server ||||}{$T.|$i}:
{>>> MAIL F{rom|ROM}:$f
<<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>... {Mail quota exceeded|Message is too large}
554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|}
Session aborted{, reason: lost connection|}|>>> RCPT To:<$t>
<<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA
{<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed
|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
|}<<< 400}|}
Removal instructions:
Kill the JavaVM process and delete the files.