hackfix-virusnews: Virus Warning ~ MyDoom worm
- From: "Christy" <snowz@xxxxxxxxxx>
- To: hackfix-virusnews@xxxxxxxxxxxxx
- Date: Thu, 29 Jan 2004 03:03:21 -0500
W32.Mydoom.B@mm
Discovered on: January 28, 2004
Information:
http://www.trendmicro.com/vinfo/virusencyclo/default5.
asp?VName=3DWORM_MYDOOM.A
http://vil.nai.com/vil/content/v_100988.htm
http://www.sophos.com/virusinfo/analyses/w32mydoomb.ht
ml
http://www.Europe.f-secure.com/v-descs/novarg.shtml
http://www.theregister.co.uk/content/56/35189.html
http://www.theregister.co.uk/content/56/35174.html
http://www.theregister.co.uk/content/56/35159.html
Technical information borrowed from Symantec
http://www.symantec.com/avcenter/venc/data/w32.mydoom.
b@xxxxxxx
W32.Mydoom.B@mm is a mass-mailing worm that arrives
as an attachment with the file extension .bat, .cmd,
.exe, .pif, .scr, or .zip. When a computer is
infected, the worm will set up a backdoor into the
system, which can potentially allow an attacker to
connect to the computer and use it as a proxy to gain
access to its network resources.
In addition, the backdoor can download and execute
arbitrary files.
The worm will perform a Denial of Service (DoS)
against www.microsoft.com starting February 3, 2004
and www.sco.com starting February 1, 2004. It also
has a trigger date to stop spreading on March 1,
2004. These events will only occur if the worm is run
between or after those dates. While the worm will
stop spreading on March 1, 2004, the backdoor
component will continue to function after this date.
Also Known As:
Mydoom.B [F-Secure], W32/Mydoom.b@MM [McAfee],
WORM_MYDOOM.B [Trend], Win32.Mydoom.B [Computer
Associates], I-Worm.Mydoom.b [Kaspersky],
W32/MyDoom-B [Sophos]
Variants:
W32.Mydoom.A@mm, W32.Novarg.A@mm
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
Systems Not Affected:
DOS, Linux, Macintosh, OS/2, UNIX
When W32.Mydoom.B@mm is executed, it does the
following:
1.Creates the following files:
%System%\Ctfmon.dll: Ctfmon.dll acts as a
proxy server. The backdoor also has the ability to
download and execute arbitrary files. It makes use of
TCP ports 80, 1080, 3128, 8080, and 10080.
%Temp%\Message: This file contains random
letters and is displayed using Notepad.
%System%\Explorer.exe.
Notes:
Explorer.exe is a legitimate file in the
Windows 95/98/Me operating systems, but is in the
%Windir% folder, not the %System% folder. (By
default, this is C:\Windows or C:\Winnt.) Do not
delete the legitimate file that is in the %Windir%
folder.
%System% is a variable: The worm locates
the System folder and copies itself to that location.
By default, this is C:\Windows\System (Windows
95/98/Me), C:\Winnt\System32 (Windows NT/2000), or
C:\Windows\System32 (Windows XP).
%Temp% is a variable: The worm locates
the temporary folder and copies itself to that
location. By default, this is C:\Windows\TEMP
(Windows 95/98/Me), or C:\WINNT\Temp (Windows
NT/2000), or C:\Document and
Settings\<UserName>\Local Settings\Temp (Windows XP).
2.Terminates the taskmon.exe process if it is
running.
3.Adds the value:
"(Default)" =3D "%System%\ctfmon.dll"
to the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C8
7-00AA005127ED}\InProcServer32
so that Explorer.exe loads Cftmon.dll.
4.Adds the value:
"Explorer" =3D "%System%\Explorer.exe"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsft\Windows\Cur
rentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C
urrentVersion\Run
so that Explorer.exe is run when you start
Windows.
5.Overwrites the local host file to prevent
users from accessing the following sites:
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com
6.Attempts to perform a DoS attack against
www.microsoft.com and www.sco.com.
There is a 70% chance that the worm will
perform the DoS against www.microsoft.com if the
February 3, 2004 trigger date condition has been met.
There is an 80% change that the worm will perform the
DoS against www.sco.com if the February 1, 2004
trigger date condition has been met.
The DoS against both sites consists of
sending GET requests to the target domain using a
direct connection to port 80. The date is taken by
using the local system time.
7.Searches for the email addresses in the files
that have the following extensions:
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
8.Attempts to send email messages using its own
SMTP engine. The worm looks up the mail server that
the recipient uses before sending the email. It will
prepend the following list of strings to the target
domain name. If this is unsuccessful, it will use the
local mail server instead.
gate.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
mx.
9.The email will have the following
characteristics:
From: The "From" address may be spoofed.
Subject: The subject will be one of the
following:
Returned mail
Delivery Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Message: The message will be one of the
following:
sendmail daemon reported:
Error #804 occured during SMTP session.
Partial message has been received.
Mail transaction failed. Partial message is
available.
The message contains Unicode characters and
has been sent as a binary attachment.
The message contains MIME-encoded graphics and
has been sent as a binary attachment.
The message cannot be represented in 7-bit
ASCII encoding and has been sent as a binary
attachment.
Attachment:
The attachment may have either one or two file
extensions. If it does have two, the first extension
will be one of the following:
.htm
.txt
.doc
The second extension, or the only extension if
there is only one, will be one of the following:
.pif
.scr
.exe
.cmd
.bat
.zip (This is an actual .zip file that
contains a copy of the worm, sharing the same file
name as the .zip. For example, readme.zip can contain
readme.exe.)
If the worm has an extension of .exe or .scr,
the file will be displayed with the following icon:
For all the other file extensions, it will use
the icon for that file type.
10.Copies itself to the Kazaa download folder as
one of the following files:
icq2004-final
Xsharez_scanner
BlackIce_Firewall_Enterpriseactivation_cra
ck
ZapSetup_40_148
MS04-01_hotfix
Winamp5
AttackXP-1.26
NessusScan_pro
with a file extension of one of the
following:
.pif
.scr
.bat
.exe
11.The worm also contains functionality which
allows it to install itself on systems which may have
been infected by W32.Novarg.A@mm. This is
accomplished as follows:
The worm creates two to six threads
working in parallel.
Each thread scans a randomly picked
class-C sized networks, from a.b.c.1 to a.b.c.254,
except that it skips networks where a=3D16, 224, 127
or 128.
Between each scanned network, a thread
waits 128 ms.
Each IP in the scanned class-C is
contacted on port 3127, if the connection succeeds,
the worm sends an update command along with a copy of
itself to be executed on the remote machine.
Symantec Security Response encourages all users and
administrators to adhere to the following basic
security "best practices":
Turn off and remove unneeded services. By
default, many operating systems install auxiliary
services that are not critical, such as an FTP
server, telnet, and a Web server. These services are
avenues of attack. If they are removed, blended
threats have less avenues of attack and you have
fewer services to maintain through patch updates.
If a blended threat exploits one or more
network services, disable, or block access to, those
services until a patch is applied.
Always keep your patch levels up-to-date,
especially on computers that host public services and
are accessible through the firewall, such as HTTP,
FTP, mail, and DNS services.
Enforce a password policy. Complex passwords
make it difficult to crack password files on
compromised computers. This helps to prevent or limit
damage when a computer is compromised.
Configure your email server to block or remove
email that contains file attachments that are
commonly used to spread viruses, such as .vbs, .bat,
.exe, .pif and .scr files.
Isolate infected computers quickly to prevent
further compromising your organization. Perform a
forensic analysis and restore the computers using
trusted media.
Train employees/family not to open attachments
unless they are expecting them. Also, do not execute
software that is downloaded from the Internet unless
it has been scanned for viruses. Simply visiting a
compromised Web site can cause infection if certain
browser vulnerabilities are not patched.
The following instructions pertain to all current
and recent Symantec antivirus products, including the
Symantec AntiVirus
and Norton AntiVirus product lines.
1.Disable System Restore (Windows Me/XP).
2.Remove entries that were added to the Hosts
file.
3.Update the virus definitions.
4.Restart the computer in Safe mode or VGA mode.
5.Run a full system scan and delete all the
files detected as W32.Mydoom.B@mm.
6.Reverse the changes that were made to the
registry.
For specific details on each of these steps, read
the following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which is
enabled by default, to restore the files on your
computer in case they become damaged. If a virus,
worm, or Trojan infects a computer, System Restore
may back up the virus, worm, or Trojan on the
computer.
Windows prevents outside programs, including
antivirus programs, from modifying System Restore.
Therefore, antivirus programs or tools cannot remove
threats in the System Restore folder. As a result,
System Restore has the potential of restoring an
infected file on your computer, even after you have
cleaned the infected files from all the other
locations.
Also, a virus scan may detect a threat in the
System Restore folder even though you have removed
the threat.
For instructions on how to turn off System Restore,
read your Windows documentation, or one of the
following articles:
"How to disable or enable Windows Me System
Restore"
"How to turn off or turn on Windows XP System
Restore"
Note: When you are completely finished with the
removal procedure and are satisfied that the threat
has been removed, re-enable System Restore by
following the instructions in the aforementioned
documents.
For additional information, and an alternative to
disabling Windows Me System Restore, see the
Microsoft Knowledge Base article, "Antivirus Tools
Cannot Clean Infected Files in the _Restore Folder,"
Article ID: Q263455.
2. Removing entries that were added to the Hosts
file.
If the worm was successful in making changes to the
Host file, it may prevent you from running LiveUpdate
or accessing certain Web sites.
The Hosts file is not found on all the computers,
and if it does exist, the location can vary. For
example, if the file exists in Windows 98, it will
usually be in C:\Windows; and in Windows 2000, it is
in the
C:\WINNT\SYSTEM32\DRIVERS\ETC folder. Also, there
may be multiple copies of this file in different
locations.
The most efficient way to locate the file is to
search for it.
Follow the instructions for your operating system:
Windows 95/98/Me/NT/2000
a.Click Start, point to Find or Search, and
then click Files or Folders.
b.Make sure that "Look in" is set to (C:)
and that "Include subfolders" is checked.
c.In the "Named" or "Search for..." box,
type:
hosts
d.Click Find Now or Search Now.
e.For each one that you find, right-click
the file, and then click "Open With."
f.Deselect the "Always use this program to
open this program" check box.
g.Scroll through the list of programs and
double-click Notepad.
h.When the file opens, within the file,
delete all the entries in the Hosts file where the
line begins with 0.0.0.0.
For example:
0.0.0.0 www.microsoft.com
There may be numerous lines like this.
Delete all of them.
i.Close Notepad and save your changes when
prompted.
Windows XP
a.Click Start, and then click Search.
b.Click All files and folders.
c.In the "All or part of the file name"
box, type:
hosts
d.Verify that "Look in" is set to "Local
Hard Drives" or to (C:).
e.Click "More advanced options."
f.Check "Search system folders."
g.Check "Search subfolders."
h.Click Search.
i.Click Find Now or Search Now
j.For each one that you find, right-click
the file, and then click "Open With."
k.Deselect the "Always use this program to
open this program" check box.
l.Scroll through the list of programs and
double-click Notepad.
m.When the file opens, within the file,
delete all the entries in the Hosts file where the
line begins with 0.0.0.0.
For example:
0.0.0.0 www.microsoft.com
There may be numerous lines like this.
Delete all of them.
n.Close Notepad and save your changes when
prompted.
3. Updating the virus definitions
Symantec Security Response fully tests all the
virus definitions for quality assurance before they
are posted to our servers. There are two ways to
obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way
to obtain virus definitions: These virus definitions
are posted to the LiveUpdate servers once each week
(usually on Wednesdays), unless there is a major
virus outbreak. To determine whether definitions for
this threat are available by LiveUpdate, refer to the
Virus Definitions (LiveUpdate).
Downloading the definitions using the
Intelligent Updater: The Intelligent Updater virus
definitions are posted on U.S.business days (Monday
through Friday). You should download the definitions
from the Symantec Security Response Web site and
manually install them. To determine whether
definitions for this threat are available by the
Intelligent Updater, refer to the Virus Definitions
(Intelligent Updater).
The Intelligent Updater virus definitions are
available: Read "How to update virus definition files
using the Intelligent Updater" for detailed
instructions.
4. Restarting the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait
for at least 30 seconds, and then restart the
computer in Safe mode or VGA mode.
For Windows 95, 98, Me, 2000, or XP users,
restart the computer in Safe mode. For instructions,
read the document, "How to start the computer in Safe
Mode."
For Windows NT 4 users, restart the computer
in VGA mode.
5. Scanning for and deleting the infected files
a.Start your Symantec antivirus program and make
sure that it is configured to scan all the files.
For Norton AntiVirus consumer products:
Read the document, "How to configure Norton AntiVirus
to scan all files."
For Symantec AntiVirus Enterprise
products: Read the document, "How to verify that a
Symantec
Corporate antivirus product is set to
scan all files."
b.Run a full system scan.
c.If any files are detected as infected with
W32.Mydoom.B@mm, click Delete.
6. Reversing the changes that were made to the
registry
WARNING: Symantec strongly recommends that you back
up the registry before making any changes to it.
Incorrect changes to the registry can result in
permanent data loss or corrupted files. Modify the
specified keys only. Read the document, "How to make
a backup of the Windows registry," for instructions.
a.Click Start, and then click Run. (The Run
dialog box appears.)
b.Type regedit
Then click OK. (The Registry Editor opens.)
c.Navigate to each of these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Run
d.In the right pane, delete the value:
"Explorer"=3D"%System%\explorer.exe"
Note: %System% is a variable that refers to
the location of the System folder. By default, this
is
C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000), or
C:\Windows\System32 (Windows XP).
e.Navigate to the key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C8
7-00AA005127ED}\InProcServer32
Note: There are numerous CLSID keys. An easy
way to get to these is to use the Registry Editor's
Find function. First, navigate to the top of the
left pane and select the HKEY_CLASSES_ROOT key. Then,
click the Edit menu > Find. Carefully type=97or copy
and paste=97the text E6FB5E20 into the "Find what"
box, and then click Find Next. When the key is
located, double-click it, and then click
InProcServer32
f.Do one of the following, depending on your
operating system:
Windows NT/2000/XP
In the right pane, double-click
(Default)
In the Value data field, change the
text to the following:
%SystemRoot%\System32\webcheck.dll
Click OK.
Windows 95/98/Me
In the right pane, double-click
(Default)
In the Value data field, change the
text to the following:
Windows\System\webcheck.dll
Click OK.
g.Exit the Registry Editor.
Additional information:
When W32.Mydoom.B@mm sends email, it avoids
distributing to the domains that contain any of the
following strings:
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
accounts that match any of the following
strings:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
or accounts that contain any of the following
strings:
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
The worm also prepends any of the following names
to the domain name obtained to create randomly
generated email addresses:
adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom
Revision History:
January 28, 2004: Updated information pertaining to
DoS payload. Provided link to beta definitions.
Write-up by: Scott Gettis
~*~*~*~*~
To unsubscribe from our list send an email
to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.
For a complete list of email commands for our list send
an email to ecartis@xxxxxxxxxxxxx with a subject line of
"info hackfix-virusnews" without the quotes.
~*~*~*~*~
Other related posts:
- » hackfix-virusnews: Virus Warning ~ MyDoom worm
