Log in
Register
Menu
Log in
Register
Home
What's new
Latest activity
Authors
Forums
New posts
Search forums
What's new
New posts
Latest activity
Members
Current visitors
New posts
Search forums
Menu
Log in
Register
Install the app
Install
Forums
Miscellaneous Sections
Tech Head - The Technology Section
Computer Discussion
W32/MyDoom-B
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="net1" data-source="post: 33964"><p>Aliases </p><p>W32/Mydoom.b@MM, I-Worm.Mydoom.b </p><p></p><p>Type </p><p>Win32 worm </p><p></p><p></p><p></p><p>Description </p><p>W32/MyDoom-B is a worm which spreads by email. When the infected attachment is launched, the worm harvests email addresses from address books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. </p><p>W32/MyDoom-B creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters. </p><p></p><p>W32/MyDoom-B uses randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics. </p><p></p><p>Subject lines</p><p>Mail Transaction Failed</p><p>Unable to deliver the message</p><p>Status</p><p>Delivery Error</p><p>Mail Delivery System</p><p>hello</p><p>hi</p><p>Error</p><p>Server Report</p><p>Returned mail</p><p>[random collection of characters] </p><p></p><p>Message texts</p><p>The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.</p><p>sendmail daemon reported:</p><p>Error #804 occured during SMTP session. Partial message has been received.</p><p>The message contains Unicode characters and has been sent as a binary attachment.</p><p>The message contains MIME-encoded graphics and has been sent as a binary attachment.</p><p>Mail transaction failed. Partial message is available. </p><p></p><p>Attachment filenames</p><p>body</p><p>text</p><p>document</p><p>data</p><p>file</p><p>readme</p><p>message</p><p>doc</p><p>[random collection of characters] </p><p></p><p>Attached files may have one or two extensions. The first extension may be DOC, TXT or HTM and the second BAT, CMD, EXE, PIF, SCR or ZIP. </p><p></p><p>The worm can also copy itself into the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension: </p><p></p><p>NessusScan_pro</p><p>attackXP-1.26</p><p>winamp5</p><p>MS04-01_hotfix</p><p>zapSetup_40_148</p><p>BlackIce_Firewall_Enterpriseactivation_crack</p><p>xsharez_scanner</p><p>icq2004-final </p><p></p><p>W32/MyDoom-B creates a file called explorer.exe in the system folder and adds the following registry entry to run this file every time Windows starts up: </p><p></p><p>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ =</p><p><system folder>\explorer.exe </p><p></p><p>Please note that there is a legitimate file called explorer.exe in the Windows</p><p>folder. </p><p></p><p>W32/MyDoom-B also drops a file named ctfmon.dll to system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 1080. The DLL adds the following registry entry so that it is run on startup: </p><p></p><p>HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32</p><p>Default= "<location of dll>" </p><p></p><p>Between 1 February and 1 March 2004, there is a 20% chance that the worm will attempt a denial of service attack against <a href="http://www.sco.com" target="_blank">www.sco.com</a>, sending numerous GET requests to the web server. Between 3 February and 1 March 2004 there is a 30% chance that the worm will attempt the same denial of service attack against <a href="http://www.microsoft.com" target="_blank">www.microsoft.com</a>. </p><p></p><p>Hidden inside the worm's code is the following piece of text which does not get displayed: (sync-1.01; andy; I'm just doing my job, nothing personal, sorry) </p><p></p><p>After the 1 March W32/MyDoom-B will no longer spread, due to an expiry date set in the code. It will, however, still run the backdoor component. </p><p></p><p>W32/MyDoom-B will also create a file named hosts in the Windows folder in an</p><p>attempt to render the computer unable to contact the following websites: </p><p></p><p>engine.awaps.net</p><p>awaps.net</p><p><a href="http://www.awaps.net" target="_blank">www.awaps.net</a></p><p>ad.doubleclick.net</p><p>spd.atdmt.com</p><p>atdmt.com</p><p>click.atdmt.com</p><p>clicks.atdmt.com</p><p>media.fastclick.net</p><p>fastclick.net</p><p><a href="http://www.fastclick.net" target="_blank">www.fastclick.net</a></p><p>ad.fastclick.net</p><p>ads.fastclick.net</p><p>banner.fastclick.net</p><p>banners.fastclick.net</p><p><a href="http://www.sophos.com" target="_blank">www.sophos.com</a></p><p>sophos.com</p><p>ftp.sophos.com</p><p>f-secure.com</p><p><a href="http://www.f-secure.com" target="_blank">www.f-secure.com</a></p><p>ftp.f-secure.com</p><p>securityresponse.symantec.com</p><p><a href="http://www.symantec.com" target="_blank">www.symantec.com</a></p><p>symantec.com</p><p>service1.symantec.com</p><p>liveupdate.symantec.com</p><p>update.symantec.com</p><p>updates.symantec.com</p><p>support.microsoft.com</p><p>downloads.microsoft.com</p><p>download.microsoft.com</p><p>windowsupdate.microsoft.com</p><p>office.microsoft.com</p><p>msdn.microsoft.com</p><p>go.microsoft.com</p><p>nai.com</p><p><a href="http://www.nai.com" target="_blank">www.nai.com</a></p><p>vil.nai.com</p><p>secure.nai.com</p><p><a href="http://www.networkassociates.com" target="_blank">www.networkassociates.com</a></p><p>networkassociates.com</p><p>avp.ru</p><p><a href="http://www.avp.ru" target="_blank">www.avp.ru</a></p><p><a href="http://www.kaspersky.ru" target="_blank">www.kaspersky.ru</a></p><p><a href="http://www.viruslist.ru" target="_blank">www.viruslist.ru</a></p><p>viruslist.ru</p><p>avp.ch</p><p><a href="http://www.avp.ch" target="_blank">www.avp.ch</a></p><p><a href="http://www.avp.com" target="_blank">www.avp.com</a></p><p>avp.com</p><p>us.mcafee.com</p><p>mcafee.com</p><p><a href="http://www.mcafee.com" target="_blank">www.mcafee.com</a></p><p>dispatch.mcafee.com</p><p>download.mcafee.com</p><p>mast.mcafee.com</p><p><a href="http://www.trendmicro.com" target="_blank">www.trendmicro.com</a></p><p>www3.ca.com</p><p>ca.com</p><p><a href="http://www.ca.com" target="_blank">www.ca.com</a></p><p><a href="http://www.my-etrust.com" target="_blank">www.my-etrust.com</a></p><p>my-etrust.com</p><p>ar.atwola.com</p><p>phx.corporate-ir.net</p><p><a href="http://www.microsoft.com" target="_blank">www.microsoft.com</a> </p><p></p><p><a href="http://www.sophos.com/support/disinfection/worms.html" target="_blank">http://www.sophos.com/support/disinfection/worms.html</a></p></blockquote><p></p>
[QUOTE="net1, post: 33964"] Aliases W32/Mydoom.b@MM, I-Worm.Mydoom.b Type Win32 worm Description W32/MyDoom-B is a worm which spreads by email. When the infected attachment is launched, the worm harvests email addresses from address books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. W32/MyDoom-B creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters. W32/MyDoom-B uses randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics. Subject lines Mail Transaction Failed Unable to deliver the message Status Delivery Error Mail Delivery System hello hi Error Server Report Returned mail [random collection of characters] Message texts The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. sendmail daemon reported: Error #804 occured during SMTP session. Partial message has been received. The message contains Unicode characters and has been sent as a binary attachment. The message contains MIME-encoded graphics and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment filenames body text document data file readme message doc [random collection of characters] Attached files may have one or two extensions. The first extension may be DOC, TXT or HTM and the second BAT, CMD, EXE, PIF, SCR or ZIP. The worm can also copy itself into the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension: NessusScan_pro attackXP-1.26 winamp5 MS04-01_hotfix zapSetup_40_148 BlackIce_Firewall_Enterpriseactivation_crack xsharez_scanner icq2004-final W32/MyDoom-B creates a file called explorer.exe in the system folder and adds the following registry entry to run this file every time Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ = <system folder>\explorer.exe Please note that there is a legitimate file called explorer.exe in the Windows folder. W32/MyDoom-B also drops a file named ctfmon.dll to system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 1080. The DLL adds the following registry entry so that it is run on startup: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 Default= "<location of dll>" Between 1 February and 1 March 2004, there is a 20% chance that the worm will attempt a denial of service attack against [url]www.sco.com[/url], sending numerous GET requests to the web server. Between 3 February and 1 March 2004 there is a 30% chance that the worm will attempt the same denial of service attack against [url]www.microsoft.com[/url]. Hidden inside the worm's code is the following piece of text which does not get displayed: (sync-1.01; andy; I'm just doing my job, nothing personal, sorry) After the 1 March W32/MyDoom-B will no longer spread, due to an expiry date set in the code. It will, however, still run the backdoor component. W32/MyDoom-B will also create a file named hosts in the Windows folder in an attempt to render the computer unable to contact the following websites: engine.awaps.net awaps.net [url]www.awaps.net[/url] ad.doubleclick.net spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com media.fastclick.net fastclick.net [url]www.fastclick.net[/url] ad.fastclick.net ads.fastclick.net banner.fastclick.net banners.fastclick.net [url]www.sophos.com[/url] sophos.com ftp.sophos.com f-secure.com [url]www.f-secure.com[/url] ftp.f-secure.com securityresponse.symantec.com [url]www.symantec.com[/url] symantec.com service1.symantec.com liveupdate.symantec.com update.symantec.com updates.symantec.com support.microsoft.com downloads.microsoft.com download.microsoft.com windowsupdate.microsoft.com office.microsoft.com msdn.microsoft.com go.microsoft.com nai.com [url]www.nai.com[/url] vil.nai.com secure.nai.com [url]www.networkassociates.com[/url] networkassociates.com avp.ru [url]www.avp.ru[/url] [url]www.kaspersky.ru[/url] [url]www.viruslist.ru[/url] viruslist.ru avp.ch [url]www.avp.ch[/url] [url]www.avp.com[/url] avp.com us.mcafee.com mcafee.com [url]www.mcafee.com[/url] dispatch.mcafee.com download.mcafee.com mast.mcafee.com [url]www.trendmicro.com[/url] www3.ca.com ca.com [url]www.ca.com[/url] [url]www.my-etrust.com[/url] my-etrust.com ar.atwola.com phx.corporate-ir.net [url]www.microsoft.com[/url] [url]http://www.sophos.com/support/disinfection/worms.html[/url] [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Miscellaneous Sections
Tech Head - The Technology Section
Computer Discussion
W32/MyDoom-B
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Accept
Learn more…
Top