McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Mydoom.b (AVP)

• W32.Mydoom.B@mm (NAV)

• WORM_MYDOOM.B (Trend)

Characteristics

-- Update 4th February 2004 --
Further analysis of this virus shows that due to several bugs, the denial of service attack against www.microsoft.com will in fact not take place.

-- Update 28th January 2004 --
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.eweek.com/article2/0,4149,1472436,00.asp

This is a variant of W32/Mydoom@MM , with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• contains a peer to peer propagation routine
• contains a Denial of Service payload
• overwrites the local hosts file on the victim machine
• contains a backdoor component 

If you think that you may be infected with Mydoom, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information). Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

• Returned mail
• Delivery Error
• Status
• Server Report
• Mail Transaction Failed
• Mail Delivery System
• hello
• hi

Body:  (Varies, such as) 

• sendmail daemon reported:
  Error #804 occured during SMTP session. Partial message has been received.
• Mail transaction failed. Partial message is available.
• The message contains Unicode characters and has been sent as a binary attachment.
• The message contains MIME-encoded graphics and has been sent as a binary attachment.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (29,184 bytes)

• examples (common names, but can be random)
• doc.bat
• document.zip
• message.zip
• readme.zip
• text.pif
• hello.cmd
• body.scr
• test.htm.pif
• data.txt.exe
• file.scr

In the case of two file extensions, multiple spaces may be inserted as well, for example:

• document.htm  (many spaces)  .pif

The icon used by the file tries to make it appear as if the attachment is a text file:

When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as explorer.exe  (note: there is a valid explorer.exe file in the WINDOWS directory)

•  %SysDir%\explorer.exe

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It creates the following registry entry to hook Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Explorer" = %SysDir%\explorer.exe

The virus uses a DLL that it creates in the Windows System directory:

•  %SysDir%\ctfmon.dll (6,144 bytes)

This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:

• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\ctfmon.dll

Redirection To Prevent Access

The worm overwrites the local hosts file to prevent infected computers from accessing specific sites (listed below). AVERT recommends updating to the 4320 dat files as soon as possible, so that your computer may continue to access NAI and other important sites for future updates.

• ad.doubleclick.net
• ad.fastclick.net
• ads.fastclick.net
• ar.atwola.com
• atdmt.com
• avp.ch
• avp.com
• avp.ru
• awaps.net
• banner.fastclick.net
• banners.fastclick.net
• ca.com
• click.atdmt.com
• clicks.atdmt.com
• dispatch.mcafee.com
• download.mcafee.com
• download.microsoft.com
• downloads.microsoft.com
• engine.awaps.net
• fastclick.net
• f-secure.com
• ftp.f-secure.com
• ftp.sophos.com
• go.microsoft.com
• liveupdate.symantec.com
• mast.mcafee.com
• mcafee.com
• media.fastclick.net
• msdn.microsoft.com
• my-etrust.com
• nai.com
• networkassociates.com
• office.microsoft.com
• phx.corporate-ir.net
• secure.nai.com
• securityresponse.symantec.com
• service1.symantec.com
• sophos.com
• spd.atdmt.com
• support.microsoft.com
• symantec.com
• update.symantec.com
• updates.symantec.com
• us.mcafee.com
• vil.nai.com
• viruslist.ru
• windowsupdate.microsoft.com
• www.avp.ch
• www.avp.com
• www.avp.ru
• www.awaps.net
• www.ca.com
• www.fastclick.net
• www.f-secure.com
• www.kaspersky.ru
• www.mcafee.com
• www.microsoft.com
• www.my-etrust.com
• www.nai.com
• www.networkassociates.com
• www.sophos.com
• www.symantec.com
• www.trendmicro.com
• www.viruslist.ru
• www3.ca.com

Peer To Peer Propagation
The worm copies itself to the KaZaa Shared Directory with the following filenames:

• xsharez_scanner
• BlackIce_Firewall_Enterpriseactivation_crack 
• zapSetup_95_693 
• MS59-56_hotfix 
• winamp0
• NessusScan_pro
• attackXP-6.71

Denial of Service
The worm contains a denial of service payload (date triggered) against the following domains:

• www.sco.com  
• www.microsoft.com

If the worm is started between February 1st, 2004 16:09:18
(UTC) and March 1st, 2004  3:18:42 (UTC), there is an 80%
chance that the worm will execute a DoS attack on www.sco.com . However due to a bug in the worm, this DoS attack will fail to start 75% of the time. 

If the worm is started between February 3, 2004 13:09:18
(UTC) and March 1st, 2004 3:18:42 (UTC), there is an 70%
chance that the worm will execute a DoS attack on www.microsoft.com . However due to several bugs in the worm, this DoS attack will always fail to start. 

If the worm cannot resolve then name www.sco.com , it will sleep for 65 seconds and try again in a continual loop.

Remote Access Component
The worm (this functionality is in the dropped DLL) opens a connection on the following TCP ports:

• 1080 (if fail then next)
• 3128
• 80
• 8080
• 10080

The worm can accept specially crafted TCP transmissions.

• On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it. Then the temporary file is deleted.
• On receipt of another kind it can relay TCP packets thus providing IP spoofing capabilities (possibly to facilitate SPAM distribution)

Remote Updating
As part of it's normal operation, the worm sends out packets to port 3127 at random IP addresses. The purpose of these packets is to locate systems infected with W32/Mydoom@MM . If it makes contact with such a system, the worm then transmits a copy of itself to the second system where it is then executed by W32/Mydoom@MM . When the second system is next restarted, it then becomes infected with W32/Mydoom.b@MM  instead of the original W32/Mydoom@MM .

Symptoms

• When run, the following fake error dialog may be displayed:

  

• Upon executing the virus, Notepad is opened, filled with nonsense characters.

• Existence of the files and registry entry listed above
• Outgoing TCP traffic to remote machines destination port 3127 (the same port as opened with the W32/Mydoom.a@MM  variant).

Method of Infection

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• wab
• adb
• tbb
• dbx
• asp
• php
• sht
• htm
• txt
• pl

As for its predecessor, the worm contains strings which it uses to randomly construct email addresses. The following user names carried in the worm are prepended to harvested domain names:

• john
• alex
• michael
• james
• mike
• kevin
• david
• george
• sam
• andrew
• jose
• leo
• maria
• jim
• brian
• serg
• mary
• ray
• tom
• peter
• robert
• bob
• jane
• joe
• dan
• dave
• matt
• steve
• smith
• stan
• bill
• bob
• jack
• fred
• ted
• adam
• brent
• alice
• anna
• brenda
• claudia
• debby
• helen
• jerry
• jimmy
• linda
• sandra
• julie

Again like its predecessor, this variant avoids targetting certain email addresses (those containing strings carried in the worm).

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mail.
• smtp.
• mx1.
• mxs.
• mail1.
• relay.
• ns.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
Though we consider this a low risk threat, Stinger  has been updated to assist in detecting and repairing this threat.

McAfee Security Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP ports 1080, 3128, 8080, 10080 and outgoing TCP port 3127.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Mydoom.b (AVP)

• W32.Mydoom.B@mm (NAV)

• WORM_MYDOOM.B (Trend)

Characteristics

Characteristics -

-- Update 4th February 2004 --
Further analysis of this virus shows that due to several bugs, the denial of service attack against www.microsoft.com will in fact not take place.

-- Update 28th January 2004 --
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.eweek.com/article2/0,4149,1472436,00.asp

This is a variant of W32/Mydoom@MM , with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• contains a peer to peer propagation routine
• contains a Denial of Service payload
• overwrites the local hosts file on the victim machine
• contains a backdoor component 

If you think that you may be infected with Mydoom, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information). Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

• Returned mail
• Delivery Error
• Status
• Server Report
• Mail Transaction Failed
• Mail Delivery System
• hello
• hi

Body:  (Varies, such as) 

• sendmail daemon reported:
  Error #804 occured during SMTP session. Partial message has been received.
• Mail transaction failed. Partial message is available.
• The message contains Unicode characters and has been sent as a binary attachment.
• The message contains MIME-encoded graphics and has been sent as a binary attachment.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (29,184 bytes)

• examples (common names, but can be random)
• doc.bat
• document.zip
• message.zip
• readme.zip
• text.pif
• hello.cmd
• body.scr
• test.htm.pif
• data.txt.exe
• file.scr

In the case of two file extensions, multiple spaces may be inserted as well, for example:

• document.htm  (many spaces)  .pif

The icon used by the file tries to make it appear as if the attachment is a text file:

When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as explorer.exe  (note: there is a valid explorer.exe file in the WINDOWS directory)

•  %SysDir%\explorer.exe

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It creates the following registry entry to hook Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Explorer" = %SysDir%\explorer.exe

The virus uses a DLL that it creates in the Windows System directory:

•  %SysDir%\ctfmon.dll (6,144 bytes)

This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:

• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\ctfmon.dll

Redirection To Prevent Access

The worm overwrites the local hosts file to prevent infected computers from accessing specific sites (listed below). AVERT recommends updating to the 4320 dat files as soon as possible, so that your computer may continue to access NAI and other important sites for future updates.

• ad.doubleclick.net
• ad.fastclick.net
• ads.fastclick.net
• ar.atwola.com
• atdmt.com
• avp.ch
• avp.com
• avp.ru
• awaps.net
• banner.fastclick.net
• banners.fastclick.net
• ca.com
• click.atdmt.com
• clicks.atdmt.com
• dispatch.mcafee.com
• download.mcafee.com
• download.microsoft.com
• downloads.microsoft.com
• engine.awaps.net
• fastclick.net
• f-secure.com
• ftp.f-secure.com
• ftp.sophos.com
• go.microsoft.com
• liveupdate.symantec.com
• mast.mcafee.com
• mcafee.com
• media.fastclick.net
• msdn.microsoft.com
• my-etrust.com
• nai.com
• networkassociates.com
• office.microsoft.com
• phx.corporate-ir.net
• secure.nai.com
• securityresponse.symantec.com
• service1.symantec.com
• sophos.com
• spd.atdmt.com
• support.microsoft.com
• symantec.com
• update.symantec.com
• updates.symantec.com
• us.mcafee.com
• vil.nai.com
• viruslist.ru
• windowsupdate.microsoft.com
• www.avp.ch
• www.avp.com
• www.avp.ru
• www.awaps.net
• www.ca.com
• www.fastclick.net
• www.f-secure.com
• www.kaspersky.ru
• www.mcafee.com
• www.microsoft.com
• www.my-etrust.com
• www.nai.com
• www.networkassociates.com
• www.sophos.com
• www.symantec.com
• www.trendmicro.com
• www.viruslist.ru
• www3.ca.com

Peer To Peer Propagation
The worm copies itself to the KaZaa Shared Directory with the following filenames:

• xsharez_scanner
• BlackIce_Firewall_Enterpriseactivation_crack 
• zapSetup_95_693 
• MS59-56_hotfix 
• winamp0
• NessusScan_pro
• attackXP-6.71

Denial of Service
The worm contains a denial of service payload (date triggered) against the following domains:

• www.sco.com  
• www.microsoft.com

If the worm is started between February 1st, 2004 16:09:18
(UTC) and March 1st, 2004  3:18:42 (UTC), there is an 80%
chance that the worm will execute a DoS attack on www.sco.com . However due to a bug in the worm, this DoS attack will fail to start 75% of the time. 

If the worm is started between February 3, 2004 13:09:18
(UTC) and March 1st, 2004 3:18:42 (UTC), there is an 70%
chance that the worm will execute a DoS attack on www.microsoft.com . However due to several bugs in the worm, this DoS attack will always fail to start. 

If the worm cannot resolve then name www.sco.com , it will sleep for 65 seconds and try again in a continual loop.

Remote Access Component
The worm (this functionality is in the dropped DLL) opens a connection on the following TCP ports:

• 1080 (if fail then next)
• 3128
• 80
• 8080
• 10080

The worm can accept specially crafted TCP transmissions.

• On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it. Then the temporary file is deleted.
• On receipt of another kind it can relay TCP packets thus providing IP spoofing capabilities (possibly to facilitate SPAM distribution)

Remote Updating
As part of it's normal operation, the worm sends out packets to port 3127 at random IP addresses. The purpose of these packets is to locate systems infected with W32/Mydoom@MM . If it makes contact with such a system, the worm then transmits a copy of itself to the second system where it is then executed by W32/Mydoom@MM . When the second system is next restarted, it then becomes infected with W32/Mydoom.b@MM  instead of the original W32/Mydoom@MM .

Symptoms

Symptoms -

• When run, the following fake error dialog may be displayed:

  

• Upon executing the virus, Notepad is opened, filled with nonsense characters.

• Existence of the files and registry entry listed above
• Outgoing TCP traffic to remote machines destination port 3127 (the same port as opened with the W32/Mydoom.a@MM  variant).

Method of Infection

Method of Infection -

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• wab
• adb
• tbb
• dbx
• asp
• php
• sht
• htm
• txt
• pl

As for its predecessor, the worm contains strings which it uses to randomly construct email addresses. The following user names carried in the worm are prepended to harvested domain names:

• john
• alex
• michael
• james
• mike
• kevin
• david
• george
• sam
• andrew
• jose
• leo
• maria
• jim
• brian
• serg
• mary
• ray
• tom
• peter
• robert
• bob
• jane
• joe
• dan
• dave
• matt
• steve
• smith
• stan
• bill
• bob
• jack
• fred
• ted
• adam
• brent
• alice
• anna
• brenda
• claudia
• debby
• helen
• jerry
• jimmy
• linda
• sandra
• julie

Again like its predecessor, this variant avoids targetting certain email addresses (those containing strings carried in the worm).

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mail.
• smtp.
• mx1.
• mxs.
• mail1.
• relay.
• ns.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
Though we consider this a low risk threat, Stinger  has been updated to assist in detecting and repairing this threat.

McAfee Security Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP ports 1080, 3128, 8080, 10080 and outgoing TCP port 3127.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A