W32/MyDoom-B

N

net1

Guest
#1
Aliases
W32/Mydoom.b@MM, I-Worm.Mydoom.b

Type
Win32 worm



Description
W32/MyDoom-B is a worm which spreads by email. When the infected attachment is launched, the worm harvests email addresses from address books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL.
W32/MyDoom-B creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters.

W32/MyDoom-B uses randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics.

Subject lines
Mail Transaction Failed
Unable to deliver the message
Status
Delivery Error
Mail Delivery System
hello
hi
Error
Server Report
Returned mail
[random collection of characters]

Message texts
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
sendmail daemon reported:
Error #804 occured during SMTP session. Partial message has been received.
The message contains Unicode characters and has been sent as a binary attachment.
The message contains MIME-encoded graphics and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

Attachment filenames
body
text
document
data
file
readme
message
doc
[random collection of characters]

Attached files may have one or two extensions. The first extension may be DOC, TXT or HTM and the second BAT, CMD, EXE, PIF, SCR or ZIP.

The worm can also copy itself into the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension:

NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final

W32/MyDoom-B creates a file called explorer.exe in the system folder and adds the following registry entry to run this file every time Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ =
<system folder>\explorer.exe

Please note that there is a legitimate file called explorer.exe in the Windows
folder.

W32/MyDoom-B also drops a file named ctfmon.dll to system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 1080. The DLL adds the following registry entry so that it is run on startup:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Default= "<location of dll>"

Between 1 February and 1 March 2004, there is a 20% chance that the worm will attempt a denial of service attack against www.sco.com, sending numerous GET requests to the web server. Between 3 February and 1 March 2004 there is a 30% chance that the worm will attempt the same denial of service attack against www.microsoft.com.

Hidden inside the worm's code is the following piece of text which does not get displayed: (sync-1.01; andy; I'm just doing my job, nothing personal, sorry)

After the 1 March W32/MyDoom-B will no longer spread, due to an expiry date set in the code. It will, however, still run the backdoor component.

W32/MyDoom-B will also create a file named hosts in the Windows folder in an
attempt to render the computer unable to contact the following websites:

engine.awaps.net
awaps.net
www.awaps.net
ad.doubleclick.net
spd.atdmt.com
atdmt.com
click.atdmt.com
clicks.atdmt.com
media.fastclick.net
fastclick.net
www.fastclick.net
ad.fastclick.net
ads.fastclick.net
banner.fastclick.net
banners.fastclick.net
www.sophos.com
sophos.com
ftp.sophos.com
f-secure.com
www.f-secure.com
ftp.f-secure.com
securityresponse.symantec.com
www.symantec.com
symantec.com
service1.symantec.com
liveupdate.symantec.com
update.symantec.com
updates.symantec.com
support.microsoft.com
downloads.microsoft.com
download.microsoft.com
windowsupdate.microsoft.com
office.microsoft.com
msdn.microsoft.com
go.microsoft.com
nai.com
www.nai.com
vil.nai.com
secure.nai.com
www.networkassociates.com
networkassociates.com
avp.ru
www.avp.ru
www.kaspersky.ru
www.viruslist.ru
viruslist.ru
avp.ch
www.avp.ch
www.avp.com
avp.com
us.mcafee.com
mcafee.com
www.mcafee.com
dispatch.mcafee.com
download.mcafee.com
mast.mcafee.com
www.trendmicro.com
www3.ca.com
ca.com
www.ca.com
www.my-etrust.com
my-etrust.com
ar.atwola.com
phx.corporate-ir.net
www.microsoft.com

http://www.sophos.com/support/disinfection/worms.html
 

rolfw

Believe it when I see it Admin.
Staff member
Messages
37,698
Likes
1,286
My Satellite Setup
Technomate 5402 HD M2 Ci, DM7000s, Transparent 80cm Dish, Moteck SG2100 DiseqC motor, lots of legacy gear. Meters: Satlook Digital NIT, Promax HD Ranger+ spectrum analyser.
My Location
Berkshire
#2

Attachments

Top