McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update September 10, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://edition.cnn.com/2004/TECH/internet/09/10/mydoom.virus.reut/

--

 This new variant, packed with UPX, bears the following characteristics:

• contains its own SMTP engine for constructing messages
• harvests target email addresses from the victim machine
• forges the From: header of outgoing messages
• downloads BackDoor-CEB.c over HTTP

Details

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The from address is either one of the harvested addresses or constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

The common names used are as follows:

• Porter 
• Tucker 
• Stevens
• Simpson
• Webb   
• Wells  
• Freeman
• Murray 
• Gomez  
• Ortiz  
• Marshall   
• Cruz   
• Parker 
• Campbell
• Phillips   
• Turner 
• Roberts
• Perez  
• Mitchell   
• Carter 
• Nelson 
• Gonzalez   
• Baker  
• Adams  
• Green  
• Hill   
• Lopez  
• Wright 
• King   
• Hernandez  
• Young  
• Allen  
• Hall   
• Walker 
• Lee
• Lewis  
• Rodriguez  
• Clark  
• Robinson   
• Martinez   
• Garcia 
• Thompson   
• Martin 
• Harris 
• White
• Jackson
• Anderson   
• Taylor 
• Moore  
• Wilson 
• Miller 
• Davis  
• Brown  
• Jones  
• Williams   
• Johnson
• Smith  
• Leon   
• Tommy  
• Lloyd  
• Bill   
• Ronnie 
• Jon
• Alex   
• Calvin 
• Tom
• Jim
• Jay
• Oscar  
• Miguel 
• Clifford   
• Theodore   
• Micheal
• Marcus 
• Francisco  
• Leroy  
• Mario  
• Bernard
• Alexander
• Barry  
• Randall
• Troy   
• Ricky  
• Carl   
• Henry  
• Douglas
• Harold 
• Peter  
• Patrick
• Walter 
• Dennis 
• Jerry  
• Joshua 
• Gregory
• Raymond
• Andrew
• Stephen
• Eric   
• Scott  
• Frank  
• Jeffrey
• Larry  
• Jose   
• Timothy
• Gary   
• Matthew
• Jason  
• Kevin  
• Anthony
• Ronald 
• Brian  
• Edward 
• Steven 
• Kenneth
• George 
• Donald 
• Mark   
• Paul   
• Daniel 
• Christopher
• Thomas 
• Joseph 
• Charles
• Richard
• David  
• William
• Michael
• Robert 
• John   
• James  

The worm searches for email addresses on the local harddrive within file with these file extensions:

• wab
• xls
• vbs
• uin
• txt
• tbb
• stm
• sht
• php
• msg
• mht
• jsp
• htm
• eml
• dht
• dbx
• cgi
• cfg
• asp
  

The virus avoids emailing itself to target domains containing any of the following strings:

• gold-certs 
• feste  
• submit 
• help   
• service
• privacy
• somebody
• contact
• site   
• someone
• anyone 
• nothing
• nobody 
• noreply
• noone  
• webmaster  
• news   
• rating 
• postmaster 
• samples
• info   
• root   
• www
• upport 
• abuse  
• accoun 
• certific   
• listserv   
• bsd
• ntivi  
• admin  
• icq.com
• mozilla
• utgers.ed  
• tanford.e  
• pgp
• acketst
• secur  
• isc.o  
• isi.e
• ripe.  
• arin.  
• sendmail   
• rfc-ed 
• ietf   
• iana   
• usenet 
• fido   
• kernel 
• google 
• ibm.com
• fsf.   
• gnu
• mit.e  
• math   
• berkeley   
• support
• messagelabs
• antivi 
• kasp   
• linux  
• unix   
• spam   
• @iana  
• @foo.  
• .mil   
• gov.   
• .gov   
• icrosoft   
• ruslis 
• nodomai
• mydomai
• example
• inpris 
• borlan 
• sopho  
• panda  
• icrosof
• syman  
• avp.   
• -._!   
  

Subject:

The subject can be empty or random, but can also be taken from a hardcoded list. For example, the subject may look like:

• You win!   
• thanks!
• Thank you! 
• read it immediately
• Re: Your document  
• Re: Status 
• Re: Question   
• Re: Proof of concept   
• Re: Message
• Re: Hi 
• Re: Hello
• Private document   
• Notice again   
• News   
• my 
• Information
• important  
• Hi!
• hi 
• here       
• hello  

Body:

Like the subject, also the body can be empty or contain random chars, but can also contain strings from this hardcoded list:

• screensaverlol!
• fun photos 
• New game   
• relax  
• Virus removal tool 
• You are infected by virus.
• Run this exe apply this patch!  
• apply patch.   
• game   
• fun game!  
• fun!   
• lol!   
• See the file.  
• See attached file for details. 
• Please read the important document.
• Please read the attached file. 
• Please confirm the document.   
• I have attached document.  
• Your requested mail has been attached. 
• Your archive is attached.  
• Waiting for a Response.
• Please read the attachment. Thanks!
• Please see the attached file for details   
• Please read the document.  
• Please read the attached file! 
• Please confirm!
• Please answer quickly!
• Monthly news report.   
• For more details see the attachment.   
• For further details see the attachment.
• Can you confirm it?

Followed by one of these strings:

• Norton AntiVirus - www.symantec.de 
• F-Secure AntiVirus - www.f-secure.com  
• Norman AntiVirus - www.norman.com  
• Panda AntiVirus - www.pandasoftware.com
• Kaspersky AntiVirus - www.kaspersky.com
• MC-Afee AntiVirus - www.mcafee.com 
• Bitdefender AntiVirus - www.bitdefender.com
• MessageLabs AntiVirus - www.messagelabs.com

Attachment:

The worm attaches itself to the mails using one of the filenames it contains and combines it with one the following file extensions:

• .EXE
• .SCR

The worm is also able to sent itself a ZIP attachment.

Example:

• info.zip
• new.exe
• pic.exe
• lol.scr
• photo.exe
• new.zip
• report.zip
• antivirus.exe
• message,.zip

After execution, the worm copies itself to the \%windir%\system32 folder as WINSPF32.EXE and created the following registry keys:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\   CurrentVersion\Run "WinSPF" =
  C:\WINNT\System32\winspf.exe

Additional, it copies itself to

• C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\rx32hh00.exe

It tries to download BackDoor-CEB.c from these sites:

• http://www.llc.unibo.it/
• http://www.surrenderzeeland.nl/
• http://www.mercyships.de/
• http://www.hiw.kuleuven.ac.be/
• http://www.ach.ch/
• http://vugs.geog.uu.nl/
• http://www.planetboredom.net/
• http://guttorm.hveem.no/

Symptoms

Method of Infection

This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files as mentioned above.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update September 10, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://edition.cnn.com/2004/TECH/internet/09/10/mydoom.virus.reut/

--

 This new variant, packed with UPX, bears the following characteristics:

• contains its own SMTP engine for constructing messages
• harvests target email addresses from the victim machine
• forges the From: header of outgoing messages
• downloads BackDoor-CEB.c over HTTP

Details

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The from address is either one of the harvested addresses or constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

The common names used are as follows:

• Porter 
• Tucker 
• Stevens
• Simpson
• Webb   
• Wells  
• Freeman
• Murray 
• Gomez  
• Ortiz  
• Marshall   
• Cruz   
• Parker 
• Campbell
• Phillips   
• Turner 
• Roberts
• Perez  
• Mitchell   
• Carter 
• Nelson 
• Gonzalez   
• Baker  
• Adams  
• Green  
• Hill   
• Lopez  
• Wright 
• King   
• Hernandez  
• Young  
• Allen  
• Hall   
• Walker 
• Lee
• Lewis  
• Rodriguez  
• Clark  
• Robinson   
• Martinez   
• Garcia 
• Thompson   
• Martin 
• Harris 
• White
• Jackson
• Anderson   
• Taylor 
• Moore  
• Wilson 
• Miller 
• Davis  
• Brown  
• Jones  
• Williams   
• Johnson
• Smith  
• Leon   
• Tommy  
• Lloyd  
• Bill   
• Ronnie 
• Jon
• Alex   
• Calvin 
• Tom
• Jim
• Jay
• Oscar  
• Miguel 
• Clifford   
• Theodore   
• Micheal
• Marcus 
• Francisco  
• Leroy  
• Mario  
• Bernard
• Alexander
• Barry  
• Randall
• Troy   
• Ricky  
• Carl   
• Henry  
• Douglas
• Harold 
• Peter  
• Patrick
• Walter 
• Dennis 
• Jerry  
• Joshua 
• Gregory
• Raymond
• Andrew
• Stephen
• Eric   
• Scott  
• Frank  
• Jeffrey
• Larry  
• Jose   
• Timothy
• Gary   
• Matthew
• Jason  
• Kevin  
• Anthony
• Ronald 
• Brian  
• Edward 
• Steven 
• Kenneth
• George 
• Donald 
• Mark   
• Paul   
• Daniel 
• Christopher
• Thomas 
• Joseph 
• Charles
• Richard
• David  
• William
• Michael
• Robert 
• John   
• James  

The worm searches for email addresses on the local harddrive within file with these file extensions:

• wab
• xls
• vbs
• uin
• txt
• tbb
• stm
• sht
• php
• msg
• mht
• jsp
• htm
• eml
• dht
• dbx
• cgi
• cfg
• asp
  

The virus avoids emailing itself to target domains containing any of the following strings:

• gold-certs 
• feste  
• submit 
• help   
• service
• privacy
• somebody
• contact
• site   
• someone
• anyone 
• nothing
• nobody 
• noreply
• noone  
• webmaster  
• news   
• rating 
• postmaster 
• samples
• info   
• root   
• www
• upport 
• abuse  
• accoun 
• certific   
• listserv   
• bsd
• ntivi  
• admin  
• icq.com
• mozilla
• utgers.ed  
• tanford.e  
• pgp
• acketst
• secur  
• isc.o  
• isi.e
• ripe.  
• arin.  
• sendmail   
• rfc-ed 
• ietf   
• iana   
• usenet 
• fido   
• kernel 
• google 
• ibm.com
• fsf.   
• gnu
• mit.e  
• math   
• berkeley   
• support
• messagelabs
• antivi 
• kasp   
• linux  
• unix   
• spam   
• @iana  
• @foo.  
• .mil   
• gov.   
• .gov   
• icrosoft   
• ruslis 
• nodomai
• mydomai
• example
• inpris 
• borlan 
• sopho  
• panda  
• icrosof
• syman  
• avp.   
• -._!   
  

Subject:

The subject can be empty or random, but can also be taken from a hardcoded list. For example, the subject may look like:

• You win!   
• thanks!
• Thank you! 
• read it immediately
• Re: Your document  
• Re: Status 
• Re: Question   
• Re: Proof of concept   
• Re: Message
• Re: Hi 
• Re: Hello
• Private document   
• Notice again   
• News   
• my 
• Information
• important  
• Hi!
• hi 
• here       
• hello  

Body:

Like the subject, also the body can be empty or contain random chars, but can also contain strings from this hardcoded list:

• screensaverlol!
• fun photos 
• New game   
• relax  
• Virus removal tool 
• You are infected by virus.
• Run this exe apply this patch!  
• apply patch.   
• game   
• fun game!  
• fun!   
• lol!   
• See the file.  
• See attached file for details. 
• Please read the important document.
• Please read the attached file. 
• Please confirm the document.   
• I have attached document.  
• Your requested mail has been attached. 
• Your archive is attached.  
• Waiting for a Response.
• Please read the attachment. Thanks!
• Please see the attached file for details   
• Please read the document.  
• Please read the attached file! 
• Please confirm!
• Please answer quickly!
• Monthly news report.   
• For more details see the attachment.   
• For further details see the attachment.
• Can you confirm it?

Followed by one of these strings:

• Norton AntiVirus - www.symantec.de 
• F-Secure AntiVirus - www.f-secure.com  
• Norman AntiVirus - www.norman.com  
• Panda AntiVirus - www.pandasoftware.com
• Kaspersky AntiVirus - www.kaspersky.com
• MC-Afee AntiVirus - www.mcafee.com 
• Bitdefender AntiVirus - www.bitdefender.com
• MessageLabs AntiVirus - www.messagelabs.com

Attachment:

The worm attaches itself to the mails using one of the filenames it contains and combines it with one the following file extensions:

• .EXE
• .SCR

The worm is also able to sent itself a ZIP attachment.

Example:

• info.zip
• new.exe
• pic.exe
• lol.scr
• photo.exe
• new.zip
• report.zip
• antivirus.exe
• message,.zip

After execution, the worm copies itself to the \%windir%\system32 folder as WINSPF32.EXE and created the following registry keys:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\   CurrentVersion\Run "WinSPF" =
  C:\WINNT\System32\winspf.exe

Additional, it copies itself to

• C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\rx32hh00.exe

It tries to download BackDoor-CEB.c from these sites:

• http://www.llc.unibo.it/
• http://www.surrenderzeeland.nl/
• http://www.mercyships.de/
• http://www.hiw.kuleuven.ac.be/
• http://www.ach.ch/
• http://vugs.geog.uu.nl/
• http://www.planetboredom.net/
• http://guttorm.hveem.no/

Symptoms

Symptoms -

Method of Infection

Method of Infection -

This virus spreads via email.  Victims must manually chose to execute the infected attachment.  Once running, the virus harvests addresses from files as mentioned above.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A