[Dshield] FW: [Full-Disclosure] Hello Mydoom

Paul Marsh pmarsh at nmefdn.org
Thu Jan 29 14:04:41 GMT 2004

Morning All:

	I don't know maybe this is the wrong thing to forward but can
the coders of the group take a look at this email of FD's list.  

Thanx, Paul

-----Original Message-----
From: Juari Bosnikovich [mailto:juarib at m-net.arbornet.org] 
Sent: Wednesday, January 28, 2004 05:40 PM
To: full-disclosure at lists.netsys.com
Subject: [Full-Disclosure] Hello Mydoom

When I disassembled the virus I found new information that haven't came
up anywhere else to this time.

Here is the information that is beleived...

1. use restricted usernames to send email to and from
2. encode strings with ROT13 method
3. create a mutex called 'SwebSipcSmtxSO' when ran
4. transform in taskmon.exe and
4.1 add [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "TaskMon" = %sysdir%\taskmon.exe
4.2 add [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "TaskMon" = %sysdir%\taskmon.exe
5. add %sysdir%\shimgapi.dll
  open ports 3127/tcp - 3198/tcp
6. stops spreading febuary 12
7. spreads through KaZaA and Electronic Mail System
8. and more very technical fact i will not describe here

What I found...

Even if the virus (Mydoom) is programmed in assembler and compiled using
masm it is made to look like it has been programmed in C++ when
disassembling. It is a fact that many more information are hidden and
undiscovered to this date such as the fact that it will stop spreading
on febuary 12 which is not true. Mydoom will pass in a new phase upon
febuary 12 and it will be very much more serious as it will be updated
and will mutate in Mydoom.C. The backdoor (shimgapi.dll) is open a port
but this is used to obscur the real intention of Mydoom.B as well as
Outlook express.

It was also unknown that the virus infects the BIOS of the computer it
infects by injecting a 624bytes backdoor written in FORTH which will
open port tcp when Mydoom will be executed AFTER febuary 12.

It is a conclusion that the viral professionals that published diagnosis
of the Mydoom.A virus are trying to hide something or are very

Also there are no way to fix the virus that is injected in the BIOS
after it has been infected except from flashing it AFTER disinfecting
the workstation that was infected.

                                        Juari Bosnikovich

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

More information about the list mailing list