[1stPickSites] Virus Warning ~ MyDoom worm
- From: "Christy" <snowy@xxxxxxxxxxx>
- To: 1stpickSites@xxxxxxxxxxxxx
- Date: Thu, 29 Jan 2004 03:17:12 -0500
This is an administrative message to help our readers stay
protected against this fast spreading threat. Please keep your
antivirus programs up to date. Please do not reply to this
message as it is informational only and not a list discussion
topic ~ Thank you
~~~
W32.Mydoom.B@mm
Discovered on: January 28, 2004
Information:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName
=3DWORM_MYDOOM.A
http://vil.nai.com/vil/content/v_100988.htm
http://www.sophos.com/virusinfo/analyses/w32mydoomb.html
http://www.Europe.f-secure.com/v-descs/novarg.shtml
http://www.theregister.co.uk/content/56/35189.html
http://www.theregister.co.uk/content/56/35174.html
http://www.theregister.co.uk/content/56/35159.html
Technical information borrowed from Symantec
http://www.symantec.com/avcenter/venc/data/w32.mydoom.b@xxxxxxx
W32.Mydoom.B@mm is a mass-mailing worm that arrives as an
attachment with the file extension .bat, .cmd, .exe, .pif, .scr,
or .zip. When a computer is infected, the worm will set up a
backdoor into the system, which can potentially allow an attacker
to connect to the computer and use it as a proxy to gain access
to its network resources.
In addition, the backdoor can download and execute arbitrary
files.
The worm will perform a Denial of Service (DoS) against
www.microsoft.com starting February 3, 2004 and www.sco.com
starting February 1, 2004. It also has a trigger date to stop
spreading on March 1, 2004. These events will only occur if the
worm is run between or after those dates. While the worm will
stop spreading on March 1, 2004, the backdoor component will
continue to function after this date.
Also Known As:
Mydoom.B [F-Secure], W32/Mydoom.b@MM [McAfee], WORM_MYDOOM.B
[Trend], Win32.Mydoom.B [Computer Associates], I-Worm.Mydoom.b
[Kaspersky], W32/MyDoom-B [Sophos]
Variants:
W32.Mydoom.A@mm, W32.Novarg.A@mm
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT,
Windows Server 2003, Windows XP
Systems Not Affected:
DOS, Linux, Macintosh, OS/2, UNIX
When W32.Mydoom.B@mm is executed, it does the following:
1.Creates the following files:
%System%\Ctfmon.dll: Ctfmon.dll acts as a proxy
server. The backdoor also has the ability to download and execute
arbitrary files. It makes use of TCP ports 80, 1080, 3128, 8080,
and 10080.
%Temp%\Message: This file contains random letters and
is displayed using Notepad.
%System%\Explorer.exe.
Notes:
Explorer.exe is a legitimate file in the Windows
95/98/Me operating systems, but is in the %Windir% folder, not
the %System% folder. (By default, this is C:\Windows or
C:\Winnt.) Do not delete the legitimate file that is in the
%Windir% folder.
%System% is a variable: The worm locates the System
folder and copies itself to that location. By default, this is
C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows
NT/2000), or
C:\Windows\System32 (Windows XP).
%Temp% is a variable: The worm locates the temporary
folder and copies itself to that location. By default, this is
C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows
NT/2000), or C:\Document and Settings\<UserName>\Local
Settings\Temp (Windows XP).
2.Terminates the taskmon.exe process if it is running.
3.Adds the value:
"(Default)" =3D "%System%\ctfmon.dll"
to the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127
ED}\InProcServer32
so that Explorer.exe loads Cftmon.dll.
4.Adds the value:
"Explorer" =3D "%System%\Explorer.exe"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\
Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio
n\Run
so that Explorer.exe is run when you start Windows.
5.Overwrites the local host file to prevent users from
accessing the following sites:
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com
6.Attempts to perform a DoS attack against www.microsoft.com
and www.sco.com.
There is a 70% chance that the worm will perform the
DoS against www.microsoft.com if the February 3, 2004 trigger
date condition has been met. There is an 80% change that the worm
will perform the DoS against www.sco.com if the February 1, 2004
trigger date condition has been met.
The DoS against both sites consists of sending GET
requests to the target domain using a direct connection to port
80. The date is taken by using the local system time.
7.Searches for the email addresses in the files that have
the following extensions:
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
8.Attempts to send email messages using its own SMTP engine.
The worm looks up the mail server that the recipient uses before
sending the email. It will prepend the following list of strings
to the target domain name. If this is unsuccessful, it will use
the local mail server instead.
gate.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
mx.
9.The email will have the following characteristics:
From: The "From" address may be spoofed.
Subject: The subject will be one of the following:
Returned mail
Delivery Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Message: The message will be one of the following:
sendmail daemon reported:
Error #804 occured during SMTP session. Partial message
has been received.
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent
as a binary attachment.
The message contains MIME-encoded graphics and has been
sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.
Attachment:
The attachment may have either one or two file extensions.
If it does have two, the first extension will be one of the
following:
.htm
.txt
.doc
The second extension, or the only extension if there is
only one, will be one of the following:
.pif
.scr
.exe
.cmd
.bat
.zip (This is an actual .zip file that contains a copy of
the worm, sharing the same file name as the .zip. For example,
readme.zip can contain readme.exe.)
If the worm has an extension of .exe or .scr, the file
will be displayed with the following icon:
For all the other file extensions, it will use the icon
for that file type.
10.Copies itself to the Kazaa download folder as one of the
following files:
icq2004-final
Xsharez_scanner
BlackIce_Firewall_Enterpriseactivation_crack
ZapSetup_40_148
MS04-01_hotfix
Winamp5
AttackXP-1.26
NessusScan_pro
with a file extension of one of the following:
.pif
.scr
.bat
.exe
11.The worm also contains functionality which allows it to
install itself on systems which may have been infected by
W32.Novarg.A@mm. This is accomplished as follows:
The worm creates two to six threads working in
parallel.
Each thread scans a randomly picked class-C sized
networks, from a.b.c.1 to a.b.c.254, except that it skips
networks where a=3D16, 224, 127 or 128.
Between each scanned network, a thread waits 128 ms.
Each IP in the scanned class-C is contacted on port
3127, if the connection succeeds, the worm sends an update
command along with a copy of itself to be executed on the remote
machine.
Symantec Security Response encourages all users and
administrators to adhere to the following basic security "best
practices":
Turn off and remove unneeded services. By default, many
operating systems install auxiliary services that are not
critical, such as an FTP server, telnet, and a Web server. These
services are avenues of attack. If they are removed, blended
threats have less avenues of attack and you have fewer services
to maintain through patch updates.
If a blended threat exploits one or more network services,
disable, or block access to, those services until a patch is
applied.
Always keep your patch levels up-to-date, especially on
computers that host public services and are accessible through
the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it
difficult to crack password files on compromised computers. This
helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that
contains file attachments that are commonly used to spread
viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further
compromising your organization. Perform a forensic analysis and
restore the computers using trusted media.
Train employees/family not to open attachments unless they
are expecting them. Also, do not execute software that is
downloaded from the Internet unless it has been scanned for
viruses. Simply visiting a compromised Web site can cause
infection if certain browser vulnerabilities are not patched.
The following instructions pertain to all current and recent
Symantec antivirus products, including the Symantec AntiVirus
and Norton AntiVirus product lines.
1.Disable System Restore (Windows Me/XP).
2.Remove entries that were added to the Hosts file.
3.Update the virus definitions.
4.Restart the computer in Safe mode or VGA mode.
5.Run a full system scan and delete all the files detected
as W32.Mydoom.B@mm.
6.Reverse the changes that were made to the registry.
For specific details on each of these steps, read the following
instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that
you temporarily turn off System Restore. Windows Me/XP uses this
feature, which is enabled by default, to restore the files on
your computer in case they become damaged. If a virus, worm, or
Trojan infects a computer, System Restore may back up the virus,
worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus
programs, from modifying System Restore. Therefore, antivirus
programs or tools cannot remove threats in the System Restore
folder. As a result, System Restore has the potential of
restoring an infected file on your computer, even after you have
cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore
folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your
Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
Note: When you are completely finished with the removal
procedure and are satisfied that the threat has been removed,
re-enable System Restore by following the instructions in the
aforementioned documents.
For additional information, and an alternative to disabling
Windows Me System Restore, see the Microsoft Knowledge Base
article, "Antivirus Tools Cannot Clean Infected Files in the
_Restore Folder," Article ID: Q263455.
2. Removing entries that were added to the Hosts file.
If the worm was successful in making changes to the Host file,
it may prevent you from running LiveUpdate or accessing certain
Web sites.
The Hosts file is not found on all the computers, and if it
does exist, the location can vary. For example, if the file
exists in Windows 98, it will usually be in C:\Windows; and in
Windows 2000, it is in the
C:\WINNT\SYSTEM32\DRIVERS\ETC folder. Also, there may be
multiple copies of this file in different locations.
The most efficient way to locate the file is to search for it.
Follow the instructions for your operating system:
Windows 95/98/Me/NT/2000
a.Click Start, point to Find or Search, and then click
Files or Folders.
b.Make sure that "Look in" is set to (C:) and that
"Include subfolders" is checked.
c.In the "Named" or "Search for..." box, type:
hosts
d.Click Find Now or Search Now.
e.For each one that you find, right-click the file, and
then click "Open With."
f.Deselect the "Always use this program to open this
program" check box.
g.Scroll through the list of programs and double-click
Notepad.
h.When the file opens, within the file, delete all the
entries in the Hosts file where the line begins with 0.0.0.0.
For example:
0.0.0.0 www.microsoft.com
There may be numerous lines like this. Delete all of
them.
i.Close Notepad and save your changes when prompted.
Windows XP
a.Click Start, and then click Search.
b.Click All files and folders.
c.In the "All or part of the file name" box, type:
hosts
d.Verify that "Look in" is set to "Local Hard Drives"
or to (C:).
e.Click "More advanced options."
f.Check "Search system folders."
g.Check "Search subfolders."
h.Click Search.
i.Click Find Now or Search Now
j.For each one that you find, right-click the file, and
then click "Open With."
k.Deselect the "Always use this program to open this
program" check box.
l.Scroll through the list of programs and double-click
Notepad.
m.When the file opens, within the file, delete all the
entries in the Hosts file where the line begins with 0.0.0.0.
For example:
0.0.0.0 www.microsoft.com
There may be numerous lines like this. Delete all of
them.
n.Close Notepad and save your changes when prompted.
3. Updating the virus definitions
Symantec Security Response fully tests all the virus
definitions for quality assurance before they are posted to our
servers. There are two ways to obtain the most recent virus
definitions:
Running LiveUpdate, which is the easiest way to obtain
virus definitions: These virus definitions are posted to the
LiveUpdate servers once each week (usually on Wednesdays), unless
there is a major virus outbreak. To determine whether definitions
for this threat are available by LiveUpdate, refer to the Virus
Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater:
The Intelligent Updater virus definitions are posted on
U.S.business days (Monday through Friday). You should download
the definitions from the Symantec Security Response Web site and
manually install them. To determine whether definitions for this
threat are available by the Intelligent Updater, refer to the
Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available:
Read "How to update virus definition files using the Intelligent
Updater" for detailed instructions.
4. Restarting the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at
least 30 seconds, and then restart the computer in Safe mode or
VGA mode.
For Windows 95, 98, Me, 2000, or XP users, restart the
computer in Safe mode. For instructions, read the document, "How
to start the computer in Safe Mode."
For Windows NT 4 users, restart the computer in VGA mode.
5. Scanning for and deleting the infected files
a.Start your Symantec antivirus program and make sure that
it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the
document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the
document, "How to verify that a Symantec
Corporate antivirus product is set to scan all
files."
b.Run a full system scan.
c.If any files are detected as infected with
W32.Mydoom.B@mm, click Delete.
6. Reversing the changes that were made to the registry
WARNING: Symantec strongly recommends that you back up the
registry before making any changes to it. Incorrect changes to
the registry can result in permanent data loss or corrupted
files. Modify the specified keys only. Read the document, "How
to make a backup of the Windows registry," for instructions.
a.Click Start, and then click Run. (The Run dialog box
appears.)
b.Type regedit
Then click OK. (The Registry Editor opens.)
c.Navigate to each of these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run
d.In the right pane, delete the value:
"Explorer"=3D"%System%\explorer.exe"
Note: %System% is a variable that refers to the location
of the System folder. By default, this is
C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
(Windows NT/2000), or C:\Windows\System32 (Windows XP).
e.Navigate to the key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127
ED}\InProcServer32
Note: There are numerous CLSID keys. An easy way to get to
these is to use the Registry Editor's Find function. First,
navigate to the top of the left pane and select the
HKEY_CLASSES_ROOT key. Then, click the Edit menu > Find.
Carefully type=97or copy and paste=97the text E6FB5E20 into the
"Find what" box, and then click Find Next. When the key is
located, double-click it, and then click InProcServer32
f.Do one of the following, depending on your operating
system:
Windows NT/2000/XP
In the right pane, double-click (Default)
In the Value data field, change the text to the
following:
%SystemRoot%\System32\webcheck.dll
Click OK.
Windows 95/98/Me
In the right pane, double-click (Default)
In the Value data field, change the text to the
following:
Windows\System\webcheck.dll
Click OK.
g.Exit the Registry Editor.
Additional information:
When W32.Mydoom.B@mm sends email, it avoids distributing to the
domains that contain any of the following strings:
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
accounts that match any of the following strings:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
or accounts that contain any of the following strings:
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
The worm also prepends any of the following names to the domain
name obtained to create randomly generated email addresses:
adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom
Revision History:
January 28, 2004: Updated information pertaining to DoS
payload. Provided link to beta definitions.
Write-up by: Scott Gettis
~*~*~*~*~
Was this forwarded to you? Want to subscribe? Send an email
to 1stpicksites-request@xxxxxxxxxxxxx?Subject=subscribe.
For a complete list of email commands for our list send an email
to ecartis@xxxxxxxxxxxxx with a subject line of "info 1stpicksites" without the
quotes.
If you wish to unsubscribe from our list send an email
to 1stpicksites-request@xxxxxxxxxxxxx?Subject=unsubscribe
To contact the list moderators send an email to
1stpicksites-moderators@xxxxxxxxxxxxx
~*~*~*~*~
Other related posts:
- » [1stPickSites] Virus Warning ~ MyDoom worm
