F-Secure is downgrading the alert level on Mydoom.A since it reached
its deadline.
The worm was programmed to stop spreading after February 12th, 2004.
Update on February 10th, 2004
A new minor variant of Mydoom was found on 10th of February 2004. We
detect it automatically as "Mydoom.A". Some other products might detect it
as "Mydoom.D". It's the original Mydoom with a different packer applied to it,
and one of the messages it sends has been patched to say "ROFL HELLO SAM HOWS UPZ.
Partial message is available."
Update on January 27th, 2004
F-Secure is upgrading the Mydoom (Novarg) worm to Level 1 because of increased
infection reports around the world. The worm sends email attachments with a
random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension.
Attack follow-up
F-Secure researchers will be monitoring the launch of the DDoS attack against
SCO.COM on 1st of February, 2004. We'll post our findings to our weblog at:
http://www.f-secure.com/weblog/
Summary
Mydoom is a worm that spreads over email and Kazaa p2p network. When executed,
the worm opens up Windows' Notepad with garbage data in it. In emails, it uses
variable subjects, bodies and attachment names. It also performs a Distributed
Denial-of-Service attack on www.sco.com. This attack starts on 1st of February.
The worm opens up a backdoor to infected computers. This is done by planting a
new SHIMGAPI.DLL file to system32 directory and launching it as a child process
of EXPLORER.EXE.
Mydoom is programmed to stop spreading on February 12th.
The worm encrypts most of the strings in it's UPX-packed body with ROT13
method, i.e. the characters are rotated 13 locations to the right in the
abecedary, starting from the beginning if the position is beyond the last
letter.
When run the worm will create a mutex with the name "SwebSipcSmtxSO" to ensure
only one instance of itself is running at the same time.
The worm will launch a Notepad window with garbage contents.
The worm will copy itself to the Windows System folder as 'taskmon.exe' and
adds a entry in the registry:
It drops another file, contained encoded in its body and packed with UPX as:
%sysdir%\shimgapi.dll
This file will sequentially open TCP ports from 3127 to 3198, listening on them
for incoming connections. One of the possibilities this backdoor offers is to
receive an additional executable and run it on the already infected machine.
Expiration date.
When the worm is executed in a date after the Sunday 12th of February 2004 it
will exit immediately, without performing any further actions. It will not,
however, uninstall itself.
Peer-to-Peer Spreading
The worm will look up form the Windows' Registry the value containing the users
Kazaa shared folder, and it will copy itself to that location with a filename
composed from the following list:
The worm collects addresses where to send itself from Windows' Address Book
and from files with extension:
pl
adb
tbb
dbx
asp
php
sht
htm
txt
It try to bypass simple anti-spam protections i.e., like substituting the '@'
symbol for ' at ' and several other combinations.
E-Mail messages sent by the worm have the following characteristics:
Subjects can be any of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Body is one of the following:
test
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.
The message contains Unicode characters and has been sent
as a binary attachment.
Mail transaction failed. Partial message is available.
Attachments are composed combining the following names:
document
readme
doc
text
file
data
test
message
body
with the following extensions:
pif
scr
exe
cmd
bat
zip
The ZIP file itself is not harmful when doubleclicked. Inside
the zip you have a copy of the worm, sharing the same file name
as the .zip. For example, message.zip contains message.exe.
The sizes of the ZIP files vary, but it's typically around 22kB. The
infected file inside the zip can have double extensions, like
"body.htm .pif".
The final message might look like presented in the following picture:
Payload
When the machine is booted after the Sunday 1st of February at 16:09:18 (UTC)
(always according to the infected system's clock). A DDoS attack will be launched
against SCO website.
The worm will launch 64 threads, each of them requesting the main page of the
website www.sco.com. This process of requesting simultaneously 64 times the
page will be repeated roughly every second (1024 milliseconds) from each of the
infected machines throughout the globe. The request is a simple "GET /
HTTP/1.1", aimed to overload their webserver.
Backdoor
The backdoor component of Mydoom.A is dropped to the System Directory
with the filename 'shimgapi.dll'. The file is added to the registy as:
Considering the large volume of the infected emails sent by Mydoom.A
mail server administrators might want to block the worm from entering
their mail servers as early as possible.
The ZIP versions of the worm can be detected by matching the first line
of the MIME encoded attachment against one of the following regular expressions
