MyDoom

Joshua · Tue Jul 27, 2004 12:35 am

Virus Profile

Virus Information
Name: W32/Mydoom.o@MM
Risk Assesment
- Home Users: Medium-On-Watch
- Corporate Users: Medium-On-Watch
Date Discovered: 7/26/2004
Date Added: 7/26/2004
Origin: Unknown
Length: approx 28kB (EXE, ZIP)
8,192 bytes (dropped EXE)
Type: Virus
SubType: E-mail
DAT Required: 4381

Virus Characteristics
This new variant of W32/Mydoom is packed with UPX. Similarly to previous variants, it bears the following characteristics:

mass-mailing worm constructing messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address
contains a peer to peer propagation routine

Mail Propagation

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:

mailer-daemon@(target_domain)
noreply@(target_domain)
The following display names are used in this case:

"Automatic Email Delivery Software"
"Bounced mail"
"MAILER-DAEMON"
"Mail Administrator"
"Mail Delivery Subsystem"
"Post Office"
"Returned mail"
"The Post Office"
Subject:
The following subjects are used:

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
Body:
The virus constructs messages from pools of strings it carries in its body. For example:

[img]C:\Documents%20and%20Settings\Owner\My%20Documents\My%20Pictures[/img]

Attachment:
The attachment may be an EXE file with one of the following extensions:

EXE
COM
SCR
PIF
BAT
CMD
It may also be a copy of the worm within a ZIP file (may be doubly ZIPped). In this case the extension is:

ZIP
The attachment may use the target email address name as the filename, in addition to the following:

README
INSTRUCTION
TRANSCRIPT
MAIL
LETTER
FILE
TEXT
ATTACHMENT
DOCUMENT
MESSAGE
The attachment may use a double extension, and there may be multiple spaces inserted between the file extensions to deceive users.

Email Address Harvesting
Email addresses are harvested from the following file types on the victim machine:

DOC
TXT
HTM
HTML
The virus queries four search engines to harvest addresses from the results returned from such queries :

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com
The virus will also harvest email addresses from any Outlook window that is active on the victim machine.

Email Exclusions
The virus avoids emailing itself to target domains containing any of the following strings:

spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
me
you
rating
your
someone
anyone
nothing
nobody
noone
info
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp
Peer to Peer Propagation

Indications of Infection
Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE
It also drops the file SERVICES.EXE into this directory:

C:\WINDOWS\SERVICES.EXE
The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "Services" = %WinDir%\SERVICES.EXE
The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon
TCP Port 1034 is opened on the victim machine.

Method of Infection
This worm propagates via email constructing messages using its own SMTP engine. Email addresses are harvested from the victim machine, and the From: address of outgoing messages is spoofed.

[size=18Removal Instructions
[/size]
All Users :
Use current engine and DAT files for detection and removal. Alternatively, the following extra.dat packages are available. ( working with EXTRA.DAT files ).

EXTRA.DAT
SUPER EXTRA.DAT

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
Stinger has been updated to include detection and removal of this threat. Download Stinger .

McAfee System Compliance Profiler
Create a rule that matches a file
- Choose WINDOWS_DIR from the drop-down
- Type in JAVA.EXE for the file name
- Choose "File does not exist" in the next drop-down

Create a rule that matches a file
- Choose WINDOWS_DIR from the drop-down
- Type in SERVICES.EXE for the file name
- Choose "File does not exist" in the next drop-down

McAfee Desktop Firewall
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port 1034

McAfee Threatscan
ThreatScan signatures that can detect the W32/Mydoom.o virus are available from:

- Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
- Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-07-26

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

- Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or-
- Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

- Run the "ThreatScan Template Report"
- Look for module number #4081

Aliases

W32.Mydoom.M@mm (Symantec), W32/MyDoom-O (Sophos), WORM_MYDOOM.M (Trend)
[/u]

Tue Jul 27, 2004 8:16 am

MyDoom has been around for quite a while hasn't it?

Red XIII · Tue Jul 27, 2004 9:31 am

maybe it's some new strand?

quicksilver · Thu Jul 29, 2004 3:38 am

This is a new variant (My Doom - o) , it contains a secondary attack too against the microsoft .com site . Someones been having fun it seems

.

http://www.techweb.com/wire/story/TWB20040727S0008

Red XIII · Thu Jul 29, 2004 5:18 am

And to think microsoft site couldnt be hacked!

Thu Jul 29, 2004 9:10 am

DoS Attack, not an Atthack

evildildo · Sat Jul 31, 2004 3:57 pm

it got google

Freggle · Sat Jul 31, 2004 9:06 pm

Getting down microsoft.com will be pretty hard.

Mon Aug 02, 2004 7:36 am

There is now a p variant of MyDoom but the current biggest (by which I mean highest infection rate) threat is WORM_MYDOOM.M

The following is the TrendMicro yellow alert list as it stands right now:

WORM_MYDOOM.M
is a medium risk alert

TROJ_SMALL.LW (02.08.04)
WORM_WUKILL.F (01.08.04)
TROJ_LMIR.NT (01.08.04)
WORM_AGOBOT.SJ (01.08.04)
TROJ_BANCOS.AY (01.08.04)

And some of their other listed top threats are as follows:

1. WORM_SASSER.B
2. WORM_SASSER.E
3. WORM_NETSKY.P
4. PE_ZAFI.B
5. HTML_NETSKY.P

quicksilver · Sat Aug 07, 2004 12:54 am

I often wonder where all the energy comes from to produce most of these horrors

.

MyDoom

Login • Register