Content

W32/Mydoom.ag@MM

Type
Virus
SubType
E-mail
Discovery Date
11/08/2004
Length
20,751 bytes
Minimum DAT
4405 (11/09/2004)
Updated DAT
4405 (11/09/2004)
Minimum Engine
5.1.00
Description Added
11/08/2004
Description Modified
11/09/2004 12:04 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update November 8, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/New+MyDoom+draws+on+IE+flaw+to+spread/2100-7349_3-5443828.html?tag=cd.lede

--

This W32/Mydoom@MM variant makes use of a zero day attack targeting a Microsoft Internet Explorer IFRAME buffer overflow vulnerability .

The virus spreads by sending email messages to addresses found on the local system.  The message appears as follows:

From: Spoofed address
Subject: (case may vary)

  • funny photos :)
  • hello
  • hey!
  • blank
  • random characters

Body: Look at my homepage with my last webcam photos!
or
Body: FREE ADULT VIDEO! SIGN UP NOW!

The mail header may contain one of the following fields:

  • X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
  • X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
  • X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

There is no attachment to the message.  The homepage hyperlink points to the infected system which sent the email message.  Clicking on the link, accesses a web server running on the compromised system.  The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus

Infected systems will show Windows Explorer listening on TCP Port 1639, the port the web server runs on.

When a user follows a hyperlink sent by the virus, they are connected with the infected computer (http:// IP address of infected host that sent the email message :1639/webcam.htm).  The webcam.htm page that is served results in a buffer overflow occuring in Internet Explorer.  Shell code then executes, which instructs the local machine to download a remote file (http:// IP address :1639/reactor) and save it to a local file %desktop%\vv.dat and then execute the downloaded file.

Symptoms

When run, the virus creates a file in the WINDOWS SYSTEM (%WinDir%\system32) directory with a random filename that ends in 32.exe.  A registry run key is created to load the virus at system startup, such as:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Reactor5" = C:\WINDOWS\System32\heztiv32.exe

Other registry keys are also created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore\Version

The worm contains a list of IRC servers, which it attempts to connect to on TCP port 6667:

  • qis.md.us.dal.net
  • ced.dal.net
  • viking.dal.net
  • vancouver.dal.net
  • ozbytes.dal.net
  • broadway.ny.us.dal.net
  • coins.dal.net
  • lulea.se.eu.undernet.org
  • diemen.nl.eu.undernet.org
  • london.uk.eu.undernet.org
  • washington.dc.us.undernet.org
  • los-angeles.ca.us.undernet.org
  • brussels.be.eu.undernet.org
  • caen.fr.eu.undernet.org
  • flanders.be.eu.undernet.org
  • graz.at.eu.undernet.org

Method of Infection

Like other Mydoom variants, this virus harvests email addresses from the local system, creates addresses by combining common names carried within the virus body with harvested domain names, and spams those addresses with email messages.  It also avoids addresses containing specific letters or words.  Unlike earlier variants, the infectious messages do not contain an attachment, but rather a hyperlink directing people to an infected machine.  Following the hyperlink results in an infection occurring on the target victim's system, if they are running a vulnerable Microsoft Internet Explorer web browser.

Through a buffer overflow, the virus downloads and executes the main virus component.  This component injects itself into the EXPLORER.EXE process and creates six threads to carry out various tasks.  Even if the main executable file is terminated and deleted, these threads in EXPLORER.EXE must be suspended/terminated in order for propagation to stop.  The specified DAT files contain repair to both terminate the running virus process as well as the spawned explorer.exe threads.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

McAfee Intrushield
 An IntruShield User-Defined Signature (UDS) has been created to detect this threat and is available for download at:
 
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected and requires your to log into Service Portal before accessing it.

McAfee Entercept
Entercept's buffer overflow protection protects against code execution that may result from exploitation of the IFRAME buffer overflow vulnerability.

VirusScan Enterprise 8.0i
 The VSE8.0i contains generic buffer overflow protection that is effective in preventing this threat from spreading.  Protection is enabled by default:

With this configuration, a message dialog box will appear upon detection:

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update November 8, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/New+MyDoom+draws+on+IE+flaw+to+spread/2100-7349_3-5443828.html?tag=cd.lede

--

This W32/Mydoom@MM variant makes use of a zero day attack targeting a Microsoft Internet Explorer IFRAME buffer overflow vulnerability .

The virus spreads by sending email messages to addresses found on the local system.  The message appears as follows:

From: Spoofed address
Subject: (case may vary)

  • funny photos :)
  • hello
  • hey!
  • blank
  • random characters

Body: Look at my homepage with my last webcam photos!
or
Body: FREE ADULT VIDEO! SIGN UP NOW!

The mail header may contain one of the following fields:

  • X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
  • X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
  • X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

There is no attachment to the message.  The homepage hyperlink points to the infected system which sent the email message.  Clicking on the link, accesses a web server running on the compromised system.  The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus

Infected systems will show Windows Explorer listening on TCP Port 1639, the port the web server runs on.

When a user follows a hyperlink sent by the virus, they are connected with the infected computer (http:// IP address of infected host that sent the email message :1639/webcam.htm).  The webcam.htm page that is served results in a buffer overflow occuring in Internet Explorer.  Shell code then executes, which instructs the local machine to download a remote file (http:// IP address :1639/reactor) and save it to a local file %desktop%\vv.dat and then execute the downloaded file.

Symptoms

Symptoms -

When run, the virus creates a file in the WINDOWS SYSTEM (%WinDir%\system32) directory with a random filename that ends in 32.exe.  A registry run key is created to load the virus at system startup, such as:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Reactor5" = C:\WINDOWS\System32\heztiv32.exe

Other registry keys are also created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore\Version

The worm contains a list of IRC servers, which it attempts to connect to on TCP port 6667:

  • qis.md.us.dal.net
  • ced.dal.net
  • viking.dal.net
  • vancouver.dal.net
  • ozbytes.dal.net
  • broadway.ny.us.dal.net
  • coins.dal.net
  • lulea.se.eu.undernet.org
  • diemen.nl.eu.undernet.org
  • london.uk.eu.undernet.org
  • washington.dc.us.undernet.org
  • los-angeles.ca.us.undernet.org
  • brussels.be.eu.undernet.org
  • caen.fr.eu.undernet.org
  • flanders.be.eu.undernet.org
  • graz.at.eu.undernet.org

Method of Infection

Method of Infection -

Like other Mydoom variants, this virus harvests email addresses from the local system, creates addresses by combining common names carried within the virus body with harvested domain names, and spams those addresses with email messages.  It also avoids addresses containing specific letters or words.  Unlike earlier variants, the infectious messages do not contain an attachment, but rather a hyperlink directing people to an infected machine.  Following the hyperlink results in an infection occurring on the target victim's system, if they are running a vulnerable Microsoft Internet Explorer web browser.

Through a buffer overflow, the virus downloads and executes the main virus component.  This component injects itself into the EXPLORER.EXE process and creates six threads to carry out various tasks.  Even if the main executable file is terminated and deleted, these threads in EXPLORER.EXE must be suspended/terminated in order for propagation to stop.  The specified DAT files contain repair to both terminate the running virus process as well as the spawned explorer.exe threads.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

McAfee Intrushield
 An IntruShield User-Defined Signature (UDS) has been created to detect this threat and is available for download at:
 
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected and requires your to log into Service Portal before accessing it.

McAfee Entercept
Entercept's buffer overflow protection protects against code execution that may result from exploitation of the IFRAME buffer overflow vulnerability.

VirusScan Enterprise 8.0i
 The VSE8.0i contains generic buffer overflow protection that is effective in preventing this threat from spreading.  Protection is enabled by default:

With this configuration, a message dialog box will appear upon detection:

Variants

Variants -

    N/A