F-Secure Virus Descriptions : MyDoom.E
[Summary] | [Detailed Description] | [Detection]
|
|
|
| NAME: | MyDoom.E |
| ALIAS: | I-Worm.Mydoom.d, W32/Mydoom.e@MM, W32/Mydoom.E.worm |
| ALIAS: | W32/MyDoom-E, WORM_MYDOOM.E |
MyDoom.E worm variant appeared on 16th of February 2004. It is
functionally similar to previous variants. Like previous variants
it spreads in e-mail, Kazaa peer-to-peer network, drops a
backdoor and attacks www.sco.com website.
MyDoom.E worm's file is a PE executable 24576 bytes long
compressed with UPX file compressor. The unpacked file's size is
over 35 kilobytes.
The worm's lifespan is from 16:09:18 UTC on 10.02.2004 to 2:28:57
UTC on 14.02.2006. If current date is out of this range, the worm
doesn't start its replication and payload routines.
Installation to system
When the worm's file is run, it creates a separate thread that
generates garbage data file and then opens it with Notepad. Then
this thread terminates.
After that the worm drops SHIMGAPI.DLL file into Windows System
folder. This file is a backdoor (hacker's remote access)
component. It is started as a thread of Explorer from the
following Registry key:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32]
Finally the worm installs itself to system. It copies itself as
TASKMON.EXE file to Windows System directory and creates a
startup key for this file in the Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = "%winsysdir%\taskmon.exe"
where %winsysdir% represents Windows System directory name.
Spreading in e-mails
The worm spreads itself in e-mail messages. To locate e-mail
addresses to spread to, the worm reads Address Book file name
from the Registry:
[HKCU\Software\Microsoft\WAB\WAB4\Wab File Name]
Then it browses through the Address Book file and collects e-mail
addresses from there. Additionally the worm looks for e-mail
addresses in files with the following extensions:
wab
pl
adb
tbb
dbx
asp
php
sht
htm
txt
The worm avoids using e-mail addresses that contain the following
substrings:
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
The worm fakes the sender's e-mail address. It composes e-mail
addresses from 2 parts: user name and domain name. Here is the
list of user names that the worm uses:
john
alex
michael
james
mike
kevin
david
george
sam"
andrew
jose
leo
maria
jim
brian
serg
mary
ray
tom
peter
robert
bob
jane
joe
dan
dave
matt
steve
smith
stan
bill
bob
jack
fred
ted
adam
brent
alice
anna
brenda
claudia
debby
helen
jerry
jimmy
julie
linda
sandra
Here is the list of domain names that the worm uses:
aol.com
msn.com
yahoo.com
hotmail.com
The subject for the infected message is selected from the
following variants:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
The body of the infected message can contain one of the
following:
test
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The attachment name can be one of the following:
document
readme
doc
text
file
data
test
message
body
The attachment can have 2 extensions. In such case the first
extension can be:
doc
htm
tmp
And the second or the only extension can be:
pif
scr
exe
cmd
bat
The worm can also send itseld inside a ZIP archive.
Spreading in Kazaa file sharing network.
The worm spreads itself in Kazaa file sharing network. When it
locates Kazaa shared folder, it copies itself there with one of
the following names:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
The following extensions are used for the copied file:
bat
pif
scr
exe
Payload
Like its previous variants, MyDoom.E worm tries to perform a DoS
(Denial of Service) attack on www.sco.com website. During the
attack the worm bombards the website with numerous GET / HTTP
requests.
Also the worm drops a backdoor that starts as a thread of
Explorer and listens to port 3127 for commands from remote
hackers.
Detection for MyDoom.E worm is available since the following FSAV
updates:
[FSAV_Database_Version]
Version=2004-02-16_01
Technical Details:
Alexey Podrezov, February 16th, 2004;
Description updated:
Alexey Podrezov, February 17th, 2004;
F-Secure Corporation
|