W32/MyDoom-BAll of us accessing this forum are using a computer, if you've got a problem, have or need information, then post here. | |
 |
| | LinkBack | Thread Tools | Display Modes |
| | |
| |||||||
W32/MyDoom-BAll of us accessing this forum are using a computer, if you've got a problem, have or need information, then post here. | |
|
| | LinkBack | Thread Tools | Display Modes |
30-01-2004
| #1 | ||
| Guest
Posts: n/a
|
Aliases W32/Mydoom.b@MM, I-Worm.Mydoom.b Type Win32 worm Description W32/MyDoom-B is a worm which spreads by email. When the infected attachment is launched, the worm harvests email addresses from address books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. W32/MyDoom-B creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters. W32/MyDoom-B uses randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics. Subject lines Mail Transaction Failed Unable to deliver the message Status Delivery Error Mail Delivery System hello hi Error Server Report Returned mail [random collection of characters] Message texts The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. sendmail daemon reported: Error #804 occured during SMTP session. Partial message has been received. The message contains Unicode characters and has been sent as a binary attachment. The message contains MIME-encoded graphics and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment filenames body text document data file readme message doc [random collection of characters] Attached files may have one or two extensions. The first extension may be DOC, TXT or HTM and the second BAT, CMD, EXE, PIF, SCR or ZIP. The worm can also copy itself into the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension: NessusScan_pro attackXP-1.26 winamp5 MS04-01_hotfix zapSetup_40_148 BlackIce_Firewall_Enterpriseactivation_crack xsharez_scanner icq2004-final W32/MyDoom-B creates a file called explorer.exe in the system folder and adds the following registry entry to run this file every time Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ = <system folder>\explorer.exe Please note that there is a legitimate file called explorer.exe in the Windows folder. W32/MyDoom-B also drops a file named ctfmon.dll to system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 1080. The DLL adds the following registry entry so that it is run on startup: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 Default= "<location of dll>" Between 1 February and 1 March 2004, there is a 20% chance that the worm will attempt a denial of service attack against www.sco.com, sending numerous GET requests to the web server. Between 3 February and 1 March 2004 there is a 30% chance that the worm will attempt the same denial of service attack against www.microsoft.com. Hidden inside the worm's code is the following piece of text which does not get displayed: (sync-1.01; andy; I'm just doing my job, nothing personal, sorry) After the 1 March W32/MyDoom-B will no longer spread, due to an expiry date set in the code. It will, however, still run the backdoor component. W32/MyDoom-B will also create a file named hosts in the Windows folder in an attempt to render the computer unable to contact the following websites: engine.awaps.net awaps.net www.awaps.net ad.***********.net spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net ads.fastclick.net banner.fastclick.net banners.fastclick.net www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com ftp.f-secure.com securityresponse.symantec.com www.symantec.com symantec.com service1.symantec.com liveupdate.symantec.com update.symantec.com updates.symantec.com support.microsoft.com downloads.microsoft.com download.microsoft.com windowsupdate.microsoft.com office.microsoft.com msdn.microsoft.com go.microsoft.com nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com networkassociates.com avp.ru www.avp.ru www.kaspersky.ru www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com download.mcafee.com mast.mcafee.com www.trendmicro.com www3.ca.com ca.com www.ca.com www.my-etrust.com my-etrust.com ar.atwola.com phx.corporate-ir.net www.microsoft.com http://www.sophos.com/support/disinfection/worms.html | ||
 |
|
31-01-2004
| #2 | ||
| Believe it when I see it Admin.  Real name: Rolf Join Date: 01-05-1999 Location: Southern England
Posts: 29862
Thanks: 51
Thanked 1097 Times in 691 Posts
Blog Entries: 5 My System: Pace Sky HD, DM7000s, CubeRevo 3000HDPVR, Transparent 80cm Dish, Moteck SG2100 DiseqC motor, lots of legacy gear. Meters: Satlook Digital NIT, Televes H45 Digital Spectrum analyser. | And if you already have it, here is the antidote http://vil.nai.com/vil/stinger/ | ||
| | |||
| |
|
| Bookmarks |
| Tags |
| w32 or mydoomb |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
