Administrator
01-29-2004, 11:32 AM
This information obtained from...
The U. S. Department of Homeland Security
US Computer Emergency Readiness Team
MyDoom.B Rapidly Spreading
Mydoom.B is a new variant of the Mydoom worm and is about 29,184 bytes. This variant attempts to perform a Distributed Denial of Service (DDoS) attack against Microsoft.com. Details regarding this new worm are still emerging, but it has been validated as spreading in the wild. Facts about the worm will be further qualified with follow up reports following this initial analysis. <
Once activated, this virus will overwrite the HOSTS file located at %WINDIR%\system32\drivers\etc\hosts.
At least one version of this worm has been observed to write the following data to this file
127.0.0.1 localhost localhost.localdomain local lo
0.0.0.0 0.0.0.0
0.0.0.0 engine.awaps.net awaps.net www.awaps.netad.doubleclick.net (http://www.awaps.netad.doubleclick.net)
0.0.0.0 spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
0.0.0.0 media.fastclick.net fastclick.net www.fastclick.net (http://www.fastclick.net) ad.fastclick.net
0.0.0.0 ads.fastclick.net banner.fastclick.net banners.fastclick.net
0.0.0.0 www.sophos.com (http://www.sophos.com) sophos.com ftp.sophos.com f-secure.com www.f-secure.com (http://www.f-secure.com)
0.0.0.0 ftp.f-secure.com securityresponse.symantec.com
0.0.0.0 www.symantec.com (http://www.symantec.com) symantec.com service1.symantec.com
0.0.0.0 liveupdate.symantec.com update.symantec.com updates.symantec.com
0.0.0.0 support.microsoft.com downloads.microsoft.com
0.0.0.0 download.microsoft.com windowsupdate.microsoft.com
0.0.0.0 office.microsoft.com msdn.microsoft.com go.microsoft.com
0.0.0.0 nai.com www.nai.com (http://www.nai.com) vil.nai.com secure.nai.com www.networkassociates.com (http://www.networkassociates.com)
0.0.0.0 networkassociates.com avp.ru www.avp.ru (http://www.avp.ru) www.kaspersky.ru (http://www.kaspersky.ru)
0.0.0.0 www.viruslist.ru (http://www.viruslist.ru) viruslist.ru avp.ch www.avp.ch (http://www.avp.ch) www.avp.com (http://www.avp.com)
0.0.0.0 avp.com us.mcafee.com mcafee.com www.mcafee.com (http://www.mcafee.com) dispatch.mcafee.com
0.0.0.0 download.mcafee.com mast.mcafee.com www.trendmicro.com (http://www.trendmicro.com)
0.0.0.0 www3.ca.com ca.com www.ca.com (http://www.ca.com) www.my-etrust.com (http://www.my-etrust.com)
0.0.0.0 my-etrust.com ar.atwola.com phx.corporate-ir.net
This will have the effect of making these sites unreachable for any application that uses domain names, including most anti-virus update programs, electronic mail, HTTP, and FTP.
E-mails sent out by Mydoom.B are highly randomized. The From address may be spoofed to include one of the following domains: aol.com, msn.com, yahoo.com and hotmail.com. A randomized string value may then be combined with these to generate new e-mails. This may result in overload e-mail servers with many false addresses and auto-replies associated with such traffic.
The subject is randomized to include one of the following following:
Delivery Error
hello
Error
Mail Delivery System
Mail Transaction Failed
Returned mail
Server Report
Status
Unable to deliver the message
The subject may also contain randomized data as seen in a recent live sample: "RE: I still love you fLctv".
The message body is also randomized to include one of the following:
RANDOMIZED CHARACTERS
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
sendmail daemon reported: Error #804 occured during SMTP session. Partial message has been received.
The message contains Unicode characters and has been sent as a binary attachment.
The message contains MIME-encoded graphics and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
The attachments have a randomized filename selected from one of the following string values:
body
doc
text
document
data
file
readme
message
The randomized string value is then combined with a randomized extension: .exe, .bat, .scr, .cmd or .pif. If the malicious attachment is executed, it then opens notepad.exe and displays garbled data (binary).
Once executed, the worm attempts to create the following files in the Windows System directory: explorer.exe and ctfmon.dll; some reports indicate this writes dtfmon.dll. The Windows registry is then modified to run the worm in memory upon Windows startup to contain the key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
Explorer=C:\WINDOWS\system32\explorer.exe
The DLL component is associated with a backdoor feature of this worm. It is likely that this Trojan worms like the one in Mydoom.A. It scans through a range of TCP addresses looking for inbound TCP traffic. Inbound TCP traffic can be used to configure the infected computer as a proxy computer or to install code of choice on the infected computer. More importantly, attackers are already working on tools to hijack Mydoom infected computers to install code of choice.
The DDoS attack of Mydoom.B is against www.microsoft.com. (http://www.microsoft.com.) There is information claiming that it may also be directed at sco.com, but this is unsubstantiated at this time. It appears that the more credible data is that it only performs a DDoS attack against www.microsoft.com, (http://www.microsoft.com,) though a previous version of the virus is confirmed to attack SCO.
To spread over the KaZaA P2P network, Mydoom.B creates copies of itself in the KaZaA shared directory with randomized filenames. Filenames include:
attackXP-1.26
BlackIce_Firewall_Enterpriseactivation_crack
MS04-01_hotfix
NessusScan_pro
icq2004-final
winamp5
xsharez_scanner
zapSetup_40_148
A randomized extension is then added to the filename selected above, being .exe, .scr, .pif or .bat.
Mydoom.B attempts to harvest e-mails from Temporary Internet files as well as via randomized e-mails aforementioned. It does not include any e-mails containing the following strings: abuse, accoun, certific, listserv, ntivi, icrosoft, admin, page, the.bat, gold-certs, feste, submit, help, service, privacy, somebody, soft, contact, site, rating, bugs, your, someone, anyone, nothing, nobody, noone, webmaster, postmaster, support, samples, info, root, ruslis, nodomai, mydomai, example, inpris, borlan, nai., sopho, foo., .mil, gov., .gov, panda, icrosof, syma, kasper, mozilla, utgers.ed, tanford.e, acketst, secur, isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, iana, usenet, fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix, berkeley and spam.
Mydoom.B also opens TCP port 10080. The worm contains the following string: "sync-1.01; andy; I'm just doing my job, nothing personal, sorry".
Alias: Mydoom, Novarg, Mydoom.B
Sources:
F-Secure Corp. (http://www.f-secure.com/v-descs/mydoom_b.shtml), Jan. 28, 2004
Bit Defender (http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=186), Jan. 28, 2004
iDEFENSE Intelligence Operations, Jan. 28, 2004 Sensible Security Solutions Inc. (http://www.sss.ca/), Jan. 28, 2004
According to iDEFENSE, this new variant of Mydoom appears to have different MIME data for malicious e-mails. The content type appears to be plain text and includes a ZIP extension. Mydoom.A had a content type of application/octet-stream and multipart/mixed data. It is likely that this newest variant of Mydoom will become very widespread in the wild. The first variant had well over 3M interceptions by just two sources in the first 18 hours of the outbreak.
Look for questionable files about 29,184 bytes. Look for notepad.exe to be opened, displaying binary data (garbled text). Also look for the Windows registry keys created by the worm.
Recovery: Remove all files and the Windows registry key modifications associated with this malicious code threat. Restore corrupted or damaged files with clean backup copies.
Workaround: Configure e-mail servers and workstations to block file types commonly used by malicious code to spread to other computers. Block ZIP and executable extensions on the gateway and groupware level. Also monitor traffic on the network and block ports associated with Mydoom, especially inbound TCP ports for the backdoor Trojan component and the outbound TCP 10080 port data. Administrators may also find value in monitoring traffic associated with the DDoS component. Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use.
Vendor Fix: Anti-virus vendors will likely release updated signature files to protect against this malicious code in the near future. Some anti-virus applications may detect this malicious code heuristically.
Name of Malicious Code: Mydoom.B
Aliases:
Mydoom.B
Mydoom
Novarg
Size in Bytes: 29184
Subjects: RE: I still love you fLctv
Body: Error 551: We are sorry your UTF-8 encoding is not supported by the server, so the text was automatically zipped and attached to this message.
Attachments: message.zip
The U. S. Department of Homeland Security
US Computer Emergency Readiness Team
MyDoom.B Rapidly Spreading
Mydoom.B is a new variant of the Mydoom worm and is about 29,184 bytes. This variant attempts to perform a Distributed Denial of Service (DDoS) attack against Microsoft.com. Details regarding this new worm are still emerging, but it has been validated as spreading in the wild. Facts about the worm will be further qualified with follow up reports following this initial analysis. <
Once activated, this virus will overwrite the HOSTS file located at %WINDIR%\system32\drivers\etc\hosts.
At least one version of this worm has been observed to write the following data to this file
127.0.0.1 localhost localhost.localdomain local lo
0.0.0.0 0.0.0.0
0.0.0.0 engine.awaps.net awaps.net www.awaps.netad.doubleclick.net (http://www.awaps.netad.doubleclick.net)
0.0.0.0 spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
0.0.0.0 media.fastclick.net fastclick.net www.fastclick.net (http://www.fastclick.net) ad.fastclick.net
0.0.0.0 ads.fastclick.net banner.fastclick.net banners.fastclick.net
0.0.0.0 www.sophos.com (http://www.sophos.com) sophos.com ftp.sophos.com f-secure.com www.f-secure.com (http://www.f-secure.com)
0.0.0.0 ftp.f-secure.com securityresponse.symantec.com
0.0.0.0 www.symantec.com (http://www.symantec.com) symantec.com service1.symantec.com
0.0.0.0 liveupdate.symantec.com update.symantec.com updates.symantec.com
0.0.0.0 support.microsoft.com downloads.microsoft.com
0.0.0.0 download.microsoft.com windowsupdate.microsoft.com
0.0.0.0 office.microsoft.com msdn.microsoft.com go.microsoft.com
0.0.0.0 nai.com www.nai.com (http://www.nai.com) vil.nai.com secure.nai.com www.networkassociates.com (http://www.networkassociates.com)
0.0.0.0 networkassociates.com avp.ru www.avp.ru (http://www.avp.ru) www.kaspersky.ru (http://www.kaspersky.ru)
0.0.0.0 www.viruslist.ru (http://www.viruslist.ru) viruslist.ru avp.ch www.avp.ch (http://www.avp.ch) www.avp.com (http://www.avp.com)
0.0.0.0 avp.com us.mcafee.com mcafee.com www.mcafee.com (http://www.mcafee.com) dispatch.mcafee.com
0.0.0.0 download.mcafee.com mast.mcafee.com www.trendmicro.com (http://www.trendmicro.com)
0.0.0.0 www3.ca.com ca.com www.ca.com (http://www.ca.com) www.my-etrust.com (http://www.my-etrust.com)
0.0.0.0 my-etrust.com ar.atwola.com phx.corporate-ir.net
This will have the effect of making these sites unreachable for any application that uses domain names, including most anti-virus update programs, electronic mail, HTTP, and FTP.
E-mails sent out by Mydoom.B are highly randomized. The From address may be spoofed to include one of the following domains: aol.com, msn.com, yahoo.com and hotmail.com. A randomized string value may then be combined with these to generate new e-mails. This may result in overload e-mail servers with many false addresses and auto-replies associated with such traffic.
The subject is randomized to include one of the following following:
Delivery Error
hello
Error
Mail Delivery System
Mail Transaction Failed
Returned mail
Server Report
Status
Unable to deliver the message
The subject may also contain randomized data as seen in a recent live sample: "RE: I still love you fLctv".
The message body is also randomized to include one of the following:
RANDOMIZED CHARACTERS
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
sendmail daemon reported: Error #804 occured during SMTP session. Partial message has been received.
The message contains Unicode characters and has been sent as a binary attachment.
The message contains MIME-encoded graphics and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
The attachments have a randomized filename selected from one of the following string values:
body
doc
text
document
data
file
readme
message
The randomized string value is then combined with a randomized extension: .exe, .bat, .scr, .cmd or .pif. If the malicious attachment is executed, it then opens notepad.exe and displays garbled data (binary).
Once executed, the worm attempts to create the following files in the Windows System directory: explorer.exe and ctfmon.dll; some reports indicate this writes dtfmon.dll. The Windows registry is then modified to run the worm in memory upon Windows startup to contain the key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
Explorer=C:\WINDOWS\system32\explorer.exe
The DLL component is associated with a backdoor feature of this worm. It is likely that this Trojan worms like the one in Mydoom.A. It scans through a range of TCP addresses looking for inbound TCP traffic. Inbound TCP traffic can be used to configure the infected computer as a proxy computer or to install code of choice on the infected computer. More importantly, attackers are already working on tools to hijack Mydoom infected computers to install code of choice.
The DDoS attack of Mydoom.B is against www.microsoft.com. (http://www.microsoft.com.) There is information claiming that it may also be directed at sco.com, but this is unsubstantiated at this time. It appears that the more credible data is that it only performs a DDoS attack against www.microsoft.com, (http://www.microsoft.com,) though a previous version of the virus is confirmed to attack SCO.
To spread over the KaZaA P2P network, Mydoom.B creates copies of itself in the KaZaA shared directory with randomized filenames. Filenames include:
attackXP-1.26
BlackIce_Firewall_Enterpriseactivation_crack
MS04-01_hotfix
NessusScan_pro
icq2004-final
winamp5
xsharez_scanner
zapSetup_40_148
A randomized extension is then added to the filename selected above, being .exe, .scr, .pif or .bat.
Mydoom.B attempts to harvest e-mails from Temporary Internet files as well as via randomized e-mails aforementioned. It does not include any e-mails containing the following strings: abuse, accoun, certific, listserv, ntivi, icrosoft, admin, page, the.bat, gold-certs, feste, submit, help, service, privacy, somebody, soft, contact, site, rating, bugs, your, someone, anyone, nothing, nobody, noone, webmaster, postmaster, support, samples, info, root, ruslis, nodomai, mydomai, example, inpris, borlan, nai., sopho, foo., .mil, gov., .gov, panda, icrosof, syma, kasper, mozilla, utgers.ed, tanford.e, acketst, secur, isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, iana, usenet, fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix, berkeley and spam.
Mydoom.B also opens TCP port 10080. The worm contains the following string: "sync-1.01; andy; I'm just doing my job, nothing personal, sorry".
Alias: Mydoom, Novarg, Mydoom.B
Sources:
F-Secure Corp. (http://www.f-secure.com/v-descs/mydoom_b.shtml), Jan. 28, 2004
Bit Defender (http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=186), Jan. 28, 2004
iDEFENSE Intelligence Operations, Jan. 28, 2004 Sensible Security Solutions Inc. (http://www.sss.ca/), Jan. 28, 2004
According to iDEFENSE, this new variant of Mydoom appears to have different MIME data for malicious e-mails. The content type appears to be plain text and includes a ZIP extension. Mydoom.A had a content type of application/octet-stream and multipart/mixed data. It is likely that this newest variant of Mydoom will become very widespread in the wild. The first variant had well over 3M interceptions by just two sources in the first 18 hours of the outbreak.
Look for questionable files about 29,184 bytes. Look for notepad.exe to be opened, displaying binary data (garbled text). Also look for the Windows registry keys created by the worm.
Recovery: Remove all files and the Windows registry key modifications associated with this malicious code threat. Restore corrupted or damaged files with clean backup copies.
Workaround: Configure e-mail servers and workstations to block file types commonly used by malicious code to spread to other computers. Block ZIP and executable extensions on the gateway and groupware level. Also monitor traffic on the network and block ports associated with Mydoom, especially inbound TCP ports for the backdoor Trojan component and the outbound TCP 10080 port data. Administrators may also find value in monitoring traffic associated with the DDoS component. Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use.
Vendor Fix: Anti-virus vendors will likely release updated signature files to protect against this malicious code in the near future. Some anti-virus applications may detect this malicious code heuristically.
Name of Malicious Code: Mydoom.B
Aliases:
Mydoom.B
Mydoom
Novarg
Size in Bytes: 29184
Subjects: RE: I still love you fLctv
Body: Error 551: We are sorry your UTF-8 encoding is not supported by the server, so the text was automatically zipped and attached to this message.
Attachments: message.zip