Content

W32/Mydoom.e@MM

Type
Virus
SubType
E-mail
Discovery Date
02/13/2004
Length
24,576 bytes
Minimum DAT
4324 (02/17/2004)
Updated DAT
5444 (11/24/2008)
Minimum Engine
5.1.00
Description Added
02/13/2004
Description Modified
02/14/2004 8:50 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • contains a backdoor component (see below)
  • contains a Denial of Service payload

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Error
  • Status
  • Server Report
  • Mail Transaction Failed
  • Mail Delivery System
  • hello
  • hi

Body:  (Varies, such as) 

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.
  • test

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

  • examples (common names, but can be random)
  • doc.bat
  • document.zip
  • message.zip
  • readme.zip
  • text.pif
  • body.scr
  • test.htm.pif
  • data.txt.exe
  • file.scr

The icon used by the file tries to make it appear as if the attachment is a text file:

 

When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as taskmon.exe

  •  %SysDir%\taskmon.exe

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe

The virus uses a DLL that it creates in the Windows System directory:

  •  %SysDir%\shimgapi.dll (5,632 bytes)

(Note: The DLL is detected with 4321 DATs and higher as a variant of W32/Mydoom.  The 4324 DATs will add specific detection as W32/Mydoom.e.dll)

This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:

  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll

Peer To Peer Propagation
 The worm copies itself to the KaZaa Shared Directory with the following filenames:

  • nuke2004
  • office_crack
  • rootkitXP
  • strip-girl-2.0bdcom_patches
  • activation_crack
  • icq2004-final
  • winamp

Remote Access Component
 The worm (this functionality is in the dropped DLL) opens a connection on TCP port 3127.

Denial of Service Component
If the worm is run after February 1st 16:09:18 (UTC), it changes its behavior from mass mailing to initiating a denial of service attack against www.sco.com. This denial of service attack will stop on the first system startup after 02:28:57 ( UTC) on 14th February 2006. After this the worm's only behavior is to continue listening on TCP port 3127 (or up to 3198). Due to a bug in the code, the DoS attack will fail to start 75% of the time.

Symptoms

 

  • Upon executing the virus, Notepad is opened, filled with nonsense characters.

 

  • Existence of the files and registry entry listed above

Method of Infection

 

This worm tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • wab
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • txt
  • pl

The worm avoids certain address, those using the following strings:

  • .gov
  • .mil
  • abuse
  • acketst
  • arin.
  • avp
  • berkeley
  • borlan
  • bsd
  • example
  • fido
  • foo.
  • fsf.
  • gnu
  • google
  • gov.
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • ietf
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • math
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nodomai
  • panda
  • pgp
  • rfc-ed
  • ripe.
  • ruslis
  • secur
  • sendmail
  • sopho
  • syma
  • tanford.e
  • unix
  • usenet
  • utgers.ed

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

  • sandra
  • linda
  • julie
  • jimmy
  • jerry
  • helen
  • debby
  • claudia
  • brenda
  • anna
  • alice
  • brent
  • adam
  • ted
  • fred
  • jack
  • bill
  • stan
  • smith
  • steve
  • matt
  • dave
  • dan
  • joe
  • jane
  • bob
  • robert
  • peter
  • tom
  • ray
  • mary
  • serg
  • brian
  • jim
  • maria
  • leo
  • jose
  • andrew
  • sam
  • george
  • david
  • kevin
  • mike
  • james
  • michael
  • john
  • alex

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • gate.
  • mx.
  • mail.
  • smtp.
  • mx1.
  • mxs.
  • mail1.
  • relay.
  • ns.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • contains a backdoor component (see below)
  • contains a Denial of Service payload

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Error
  • Status
  • Server Report
  • Mail Transaction Failed
  • Mail Delivery System
  • hello
  • hi

Body:  (Varies, such as) 

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.
  • test

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

  • examples (common names, but can be random)
  • doc.bat
  • document.zip
  • message.zip
  • readme.zip
  • text.pif
  • body.scr
  • test.htm.pif
  • data.txt.exe
  • file.scr

The icon used by the file tries to make it appear as if the attachment is a text file:

 

When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as taskmon.exe

  •  %SysDir%\taskmon.exe

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe

The virus uses a DLL that it creates in the Windows System directory:

  •  %SysDir%\shimgapi.dll (5,632 bytes)

(Note: The DLL is detected with 4321 DATs and higher as a variant of W32/Mydoom.  The 4324 DATs will add specific detection as W32/Mydoom.e.dll)

This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:

  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll

Peer To Peer Propagation
 The worm copies itself to the KaZaa Shared Directory with the following filenames:

  • nuke2004
  • office_crack
  • rootkitXP
  • strip-girl-2.0bdcom_patches
  • activation_crack
  • icq2004-final
  • winamp

Remote Access Component
 The worm (this functionality is in the dropped DLL) opens a connection on TCP port 3127.

Denial of Service Component
If the worm is run after February 1st 16:09:18 (UTC), it changes its behavior from mass mailing to initiating a denial of service attack against www.sco.com. This denial of service attack will stop on the first system startup after 02:28:57 ( UTC) on 14th February 2006. After this the worm's only behavior is to continue listening on TCP port 3127 (or up to 3198). Due to a bug in the code, the DoS attack will fail to start 75% of the time.

Symptoms

Symptoms -

 

  • Upon executing the virus, Notepad is opened, filled with nonsense characters.

 

  • Existence of the files and registry entry listed above

Method of Infection

Method of Infection -

 

This worm tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • wab
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • txt
  • pl

The worm avoids certain address, those using the following strings:

  • .gov
  • .mil
  • abuse
  • acketst
  • arin.
  • avp
  • berkeley
  • borlan
  • bsd
  • example
  • fido
  • foo.
  • fsf.
  • gnu
  • google
  • gov.
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • ietf
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • math
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nodomai
  • panda
  • pgp
  • rfc-ed
  • ripe.
  • ruslis
  • secur
  • sendmail
  • sopho
  • syma
  • tanford.e
  • unix
  • usenet
  • utgers.ed

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

  • sandra
  • linda
  • julie
  • jimmy
  • jerry
  • helen
  • debby
  • claudia
  • brenda
  • anna
  • alice
  • brent
  • adam
  • ted
  • fred
  • jack
  • bill
  • stan
  • smith
  • steve
  • matt
  • dave
  • dan
  • joe
  • jane
  • bob
  • robert
  • peter
  • tom
  • ray
  • mary
  • serg
  • brian
  • jim
  • maria
  • leo
  • jose
  • andrew
  • sam
  • george
  • david
  • kevin
  • mike
  • james
  • michael
  • john
  • alex

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • gate.
  • mx.
  • mail.
  • smtp.
  • mx1.
  • mxs.
  • mail1.
  • relay.
  • ns.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A