F-Secure Virus Descriptions : MyDoom.AM
[Summary] | [Disinfection] | [Detailed Description] | [Detection]
|
|
|
A new variant of MyDoom worm - Mydoom.AM, was found on January
25th, 2005. It spreads in e-mails with different subject and body
texts, and attempts to spread in several P2P networks.
F-Secure provides the special disinfection utility to eliminate
Mydoom.AM worm infection. You can download this utility from our
ftp and web sites:
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.zip
http://www.f-secure.com/tools/f-mydoom.zip
The unpacked version is available from these locations:
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.exe
http://www.f-secure.com/tools/f-mydoom.exe
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.txt
http://www.f-secure.com/tools/f-mydoom.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations. The JAR package with the tool can be downloaded
from these locations:
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.jar
http://www.f-secure.com/tools/f-mydoom.jar
The worm is a PE executable file 32768 bytes long packed with UPX
file compressor. The unpacked file's size is over 76 KiB.
Installation to system
When run, the worm drops a file "Mes#wtelw" in temporary folder and
writes some random data in the file. Then it opens this file in
notepad as a decoy.
After the notepad is closed, the worm creates a mutex named
"-=RTSW.Smash 0a2a0=-" and copies itself as
%Sysdir%\lsasrv.exe
where %Sysdir% is the Windows system directory. On default install of
Windows XP, that is c:\Windows\system32. It also drops the following
files:
%Sysdir%\version.ini
hserv.sys
version.ini contains supposedly the worm version number (0.20)
and hserv.sys is encrypted data file containing web sites the worm
contacts for instructions.
The worm installs the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"lsass" = %Sysdir%\lsasrv.exe
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %Sysdir%\lsasrv.exe"
This will ensure that the worm will be started on next Windows startup.
Spreading in e-mails
The worm spreads by sending its infected attachment to all e-mail addresses
found on an infected computer. The worm looks for e-mail addresses in Windows
Address Book and in the files with the following extensions:
txt
htm
sht
php
cgi
hta
htc
xht
stm
ssi
inc
jsp
xml
dlt
xsd
xst
rss
rdf
lbi
dwt
asa
asc
asm
csp
vbp
conf
tpl
jst
wml
vbs
edm
asp
dbx
tbb
adb
wab
The worm avoids sending e-mails to e-mail addresses that contain
any of the following substrings:
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
The subject of infected e-mails is selected from the following variants:
Good day
Do not reply to this email
hello
Mail Delivery System
Attention!!!
Mail Transaction Failed
Server Report
Status
Error
The body of the emails can one of the following:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a
binary attachment.
Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash"
spreading very fast via e-mail and P2P networks. It's about
two million people infected and it will be more. To avoid
your infection by this virus and to stop it we provide you
with full information how to protect yourself against it and
also including free remover. Your can find it in the attachment.
(c) 2004 Networks Associates Technology, Inc. All Rights Reserved
New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using
a credit cards for making purchase in the Internet in the attachment.
Please, read it carefully. If you are not agree with new terms and
conditions do not use your credit card in the World Wide Web.
Thank you, The World Bank Group
(c) 2004 The World Bank Group, All Rights Reserved
Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the
attachment file. It's a real good choise to go to
WORLDXXXPASS.COM
Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was
a fraud attempt logged by The Internet Fraud Complaint Center from
your IP. This is a serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged
and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation
and the National White Collar Crime Center
The worm sends itself as an attachement, using one of the following names:
document
readme
doc
rules
file
data
docs
message
body
with one of the following extensions appended:
.bat
.cmd
.exe
.scr
.pif
Spreading in P2P networks
The worm will copy itself in folders used by Kazaa, Morpheus,
iMesh, eDonkey and Limewire. It uses of the following filenames:
winamp5
icq2004-final
activation_crack
K-LiteCodecPack2.34a
dcom_patches
adultpaawds
winxp_patch
Ad-awarere
avpprokey
NeroBROM6.3.1.27
porno
with one of the following extensions appended:
.bat
.exe
.pif
.bat
Payload
The worm tries to contact several web sites and download instructions.
These can instruct the worm to download and execute additional files.
The worm modifies the hosts file on infected computer so that domains
belonging to Anti-Virus companies and other commercial sites are resolved
to the IP address 127.0.0.1, disabling the domain. The following domains
are affected:
www.symantec.com
securityresponse.symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
www.f-secure.com
f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
avp.com
www.kaspersky.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
www.my-etrust.com
my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
www.trendmicro.com
trendmicro.com
www.grisoft.com
grisoft.com
It also tries to terminate several Firewall and Anti-Virus related
processes.
F-Secure Anti-Virus detects Mydoom.AM worm with the following update:
[FSAV_Database_Version]
Version=2005-01-25_01
Description:
Katrin Tocheva; January 25th, 2005;
Technical Details:
Jarkko Turkulainen, Gergely Erdelyi, Alexey Podrezov; January 25th, 2005;
Description Updated:
Alexey Podrezov, February 1st, 2005;
F-Secure Corporation
|