I-Worm.Mydoom.b

From; Kaspersky http://www.viruslist.com/eng/viruslist.html?id=850737

Mydoom.b is a modification of Mydoom.a that spreads via the Internet in the form of files attached to infected messages and via the Kazaa file-sharing network. The worm itself is a Windows PE EXE file of 29184 bytes, compressed using UPX and PE-Patch. The decompressed file is approximately 49KB in size.

The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.

The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the sites www.sco.com and www.microsoft.com.

Part of the body of the worm is encrypted.

The unpacked file contains the following text: 

(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)

Installation

Following launch, the worm opens Windows Notepad, showing a random selection of symbols:

During installation, the worm copies itself under the name explorer.exe to the Windows system directory, and registers this file in the system registry auto-run key: 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "TaskMon" = "%System%\explorer.exe"
The worm creates the file ctfmon.dll,/i> in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry: 
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
 "Apartment" = "%SysDir%\ctfmon.dll"
Ctfmon.dll will therefore launch as a procedure linked to Explorer.exe.

The worm also creates a file called Body,/i> in the temporary directory (usually in %windir%\temp). This file contains a random selection of symbols.

So that the worm can identify itself in the system, it creates several additional keys in the system registry: 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
While running it also creates a unique identifier sync-v1.01__ipcmtx0.

Mydoom.b replaces the standard file 'hosts' in the Windows directory into with its own version (under the same name). This file will now prevent user access to the following domains: 

ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
 
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com

Mailing letters

Emails are sent in the same way that Mydoom.a uses except for the following changes.

The body text is chosen at random from the following: 

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received

The message contains Unicode characters and
has been sent asa binary attachment.

The message contains MIME-encoded graphics and
has been sent as a binary attachment

Mail transaction failed. Partial message is available.
Mydoom.b might also send emails with random strings of characters in the subject, body and attachment name.

Propagation via P2P

The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names: 
NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final
with the following extensions: 
bat
exe
scr
pif

Kaspersky's CLRAV remover;

CLRAV scans the computer memory and hard drive of the infected machine, neutralizes the worm and restores the original configuration of the Windows system registry.

Additionally, this removal tool copes effectively with other malicious programs, including Klez, Lentin, Opasoft, Tanatos, Welchia, Sobif, Dumaru and Swen. Given the current outbreak, CLRAV is most useful for users, who have installed anti-virus protection that does not detect and delete Mydoom correctly.

Kaspersky Labs recommends that users close all active applications before launching CLRAV.

Once the utility is installed, the machine must be restarted. Finally, it is best to launch an anti-virus scanner to perform a comprehensive virus check.

You can download CLRAV from ftp://ftp.kaspersky.com/utils/clrav.zip

 

See also; 

Computer Associates; http://www3.ca.com/virusinfo/virus.aspx?ID=38114

Microsoft;  https://information.microsoft.com/security/antivirus/mydoom.asp

Sophos: http://www.sophos.com/virusinfo/analyses/w32mydoomb.html

Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.b@mm.html

US CERT Technical Alert TA04-028A; http://www.us-cert.gov/cas/techalerts/TA04-028A.html

Zone Alarm can "Lock host file" to prevent changes there;
http://download.zonelabs.com/bin/free/securityAlert/6.html

Virurus Alert MyDoom-A worm / Novrag



Visit; F-secure
http://www.f-secure.com/v-descs/novarg.shtml

NAME: Mydoom
ALIAS: Shimgapi, Novarg,  W32/MyDoom-A worm, Win32/Shimg, WORM_MIMAIL.R
SIZE: 22528

F-Secure is upgrading the Mydoom (Novarg) worm to Level 1 because of
increased infection reports around the world. The worm sends email
attachments with a random name ending with ZIP, BAT, CMD, EXE, PIF or SCR
extension.

Summary
Mydoom is a worm that spreads over email and Kazaa p2p network. When
executed, the worm opens up Windows' Notepad with garbage data in it. In
emails, it uses variable subjects, bodies and attachment names. It also
attacks SCO.COM with a DDoS-attack.

The worm opens up a backdoor to infected computers.
This is done by planting a new SHIMGAPI.DLL file to system32 directory and
launching it as a child process of EXPLORER.EXE.

Detailed Description
The worm encrypts most of the strings in it's UPX-packed body with ROT13
method, i.e. the characters are rotated 13 locations to the right in the
abecedary, starting from the beginning if the position is beyond the last
letter.

When run the worm will create a mutex with the name "SwebSipcSmtxSO" to
ensure only one instance of itself is running at the same time.

The worm will copy itself to the Windows System folder as 'taskmon.exe' and
adds a entry in the registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = %sysdir%\taskmon.exe

or, if it fails:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = %sysdir%\taskmon.exe

So it's run every time Windows starts up.

It drops another file, contained encoded in its body and packed with UPX as:

%sysdir%\shimgapi.dll

This file will sequentially open TCP ports from 3127 to 3198, listening on
them for incoming connections.
One of the possibilities this backdoor offers is to receive an additional
executable and run it on the already infected machine.


P2P spreading

The worm will look up form the Windows' Registry the value containing the
users Kazaa shared folder, and it will copy itself to that location with a
filename composed from the following list:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

And extensions chosen from:


.bat
.exe
.scr
.pif


Mass mailing.

The worm collects addresses where to send itself from Windows' Address Book
and from files with extension:
pl
adb
tbb
dbx
asp
php
sht
htm
txt

It try to bypass simple anti-spam protections i.e., like substituting the
'@' symbol for ' at ' and several other combinations.

E-Mail messages sent by the worm have the following characteristics:

Subjects can be any of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Body is one of the following:

test

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.

The message contains Unicode characters and has been sent
as a binary attachment.

Mail transaction failed. Partial message is available.

Attachments are composed combining the following names:
document
readme
doc
text
file
data
test
message
body

with the following extensions:
pif
scr
exe
cmd
bat

Payload

The worm will request the main page of the website SCO.COM roughly every
second (1024 milliseconds) from each of the infected machines throughout the
globe. The request is a simple"GET / HTTP/1.1", aimed to overload their
webserver.


DETECTION

Detection in F-Secure Anti-Virus was published on January 27th, 2004 at
11:01 GMT in update:

[FSAV_Database_Version]

Version=2004-01-27_01

As download speeds for regular updates might be slow, you can download
detection for Mydoom directly from here:

ftp://ftp.f-secure.com/anti-virus/updates/fsupdate.exe

Description: Mikko Hypponen, Katrin Tocheva, Ero Carrera and Sami Rautiainen
January 27th, 2004;  
_______________________________________________

Fijian;
http://www.finjan.com/mcrc/alert_show.cfm?attack_release_id=92

_______________________________________________

McAfee;
http://us.mcafee.com/virusInfo/default.asp?id=mydoom
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983
_______________________________________________

Norton/Synantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
W32.Novarg.A@mm is a mass-mailing worm. The worm will arrive as an
attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.
The worm also contains functionality to perform as a proxy server. It
listens on all TCP ports in the range 3127-3198.

The worm will perform a DoS starting on February 1, 2004. On February 12,
2004 the worm has a trigger date to stop spreading.

Also Known As:  W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend]
 
Type:  Worm
Infection Length:  22,528 bytes
 
  
Systems Affected:  Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
Systems Not Affected:  DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

_______________________________________________

Bitdefender;
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=185
remover download at the bottom of the page

_____________________________________________

McAfee
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983

PANDA
For this reason, in order to stop Mydoom.A from continuing to spread through
computers without adequate antivirus protection installed, Panda Software
offers all users its free PQremove tool, which detects and eliminates
Mydoom.A from infected computers and restores any changes this worm has made
to the system configuration.
http://www.pandasoftware.com/download/utilities

Users can also detect this and other malicious code using the free, online
antivirus, Panda ActiveScan, which is available on the company's website at
http://www.pandasoftware.com/
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=sol&idvirus=44140
_______________________________________________

SOPHOS; EMERGENCY ALERT: Many reports of W32/MyDoom-A worm

 A detailed analysis of W32/MyDoom-A is available at:
 http://www.sophos.com/virusinfo/analyses/w32mydooma.html

 More information about W32/MyDoom-A can be found at:
 http://www.sophos.com/virusinfo/articles/mydoom.html

 Download the IDE file from:
 http://www.sophos.com/downloads/ide/mydoom-a.ide

 Read about how to use IDE files at:
 http://www.sophos.com/support/faqs/usingides.html
_______________________________________________

Symantec/Norton
http://www.symantec.com/techsupp/vURL.cgi/nav119

Definitions dated January 26, 2004 will detect the W32.Novarg.A@mm worm.
Run LiveUpdate or download the Intelligent Updater virus definitions at:

http://securityresponse.symantec.com/avcenter/defs.download.html

Symantec Security Response has developed a removal tool to clean the
infections of W32.Novarg.A@mm. You can download the removal tool from
the Symantec Web site at:

http://www.symantec.com/techsupp/vURL.cgi/nav120

_______________________________________________

From TREND;
Dear Trend Micro customer:

A new variant of the MIMAIL worm has been found in the wild.

As of January 26, 2004  1:47 PM (US Pacific Time), TrendLabs has declared a
yellow alert to control the spread of WORM_MIMAIL.R.

This mass-mailing worm has the ability of generating random email subjects,
message bodies and attachment file names. This worm also has backdoor
capabilities.

For more information on WORM_MIMAIL.R, you can visit our Web site at:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews