McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. 

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender - Uses infected user's domain name, chooses from the following list of prefaces)

• register
• mail
• accounts
• administrator

Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as)

• Notice of account limitation
• Email Account Suspension
• Security measures
• You are banned!!!
• We have suspended your account
• Members Support
• Important Notification
• Warning Message: Your services near to be closed.
• Your Account is Suspended For Security Reasons
• *DETECTED* Online User Violation
• *WARNING* Your email account is suspended
• Your Account is Suspended

Body:  (Varies, such as) 

• Dear %Domain% Member,
  
  Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
  
  Virtually yours,
  The %Domain% Support Team
  
• Dear %Domain% Member,
  
  We have temporarily suspended your email account %Address% .
  
  This might be due to either of the following reasons:
  
  1. A recent change in your personal information (i.e. change of address).
  2. Submiting invalid information during the initial sign up process.
  3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
  See the attached details to reactivate your %Domain% account.
  
  Sincerely,The %Domain% Support Team
  
• Some information about your %Domain% account is attached.
  

Attachment: (Varies - chooses from the following list of prefaces)

• account-report
• readme
• document
• account-info
• email-details
• account-details
• information
• important-details

The attachment name may have one or two file extensions, in which case multiple spaces may be inserted as well, for example:

• document.htm  (many spaces)  .pif

Extensions: (Varies, chooses from the following list)

First extension:

• account-report
• readme
• document
• account-info
• email-details
• account-details
• information
• important-details

Final extension:

• bat
• cmd
• exe
• scr
• pif

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation

When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as winlogons.exe. 

Registry keys are created to load the worm at startup:

• HKEY_USERS\Default\Software\Microsoft\Windows\
  CurrentVersion\Run "Win32 Drivers" = winlogons.exe
• HKEY_USERS\Default\Software\Microsoft\Windows\
  CurrentVersion\RunOnce "Win32 Drivers" = winlogons.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Win32 Drivers" = winlogons.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\RunOnce "Win32 Drivers" = winlogons.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Win32 Drivers" = winlogons.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\RunOnce "Win32 Drivers" = winlogons.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\RunServices "Win32 Drivers" = winlogons.exe

Another key is created, to register a service for the worm file:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\
  Services\s***

(Characters used have been replaced with *s)

Symptoms

The Sdbot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

• l33t.freeshellz.org

For more information on Sdbot spreading functionality, see the following description:
http://vil.nai.com/vil/content/v_100454.htm

Method of Infection

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• wab
• html
• pl
• adbh
• tbbg
• dbxn
• aspd
• phpq
• xmls
• cgil
• jspl
• shtl
• htmb

The worm avoids certain address, those using the following strings:

• accoun
• certific
• listserv
• ntivi
• support
• icrosoft
• admin
• page
• the.bat
• gold-certs
• ca
• feste
• submit
• not
• help
• service
• privacy
• somebody
• no
• soft
• contact
• site
• rating
• bugs
• me
• you
• your
• someone
• anyone
• nothing
• nobody
• noone
• webmaster
• postmaster
• samples
• info
• root
• be_loyal:
• mozilla
• utgers.ed
• tanford.e
• pgp
• acketst
• secur
• isc.o
• isi.e
• ripe.
• arin.
• sendmail
• rfc-ed
• ietf
• iana
• usenet
• fido
• linux
• kernel
• google
• ibm.com
• fsf.
• gnu
• mit.e
• bsd
• math
• unix
• berkeley
• foo.
• .mil
• gov.
• .gov
• ruslis
• nodomai
• mydomai
• example
• inpris
• borlan
• sopho
• panda
• hotmail
• msn.
• icrosof
• syma
• avp
• .edu
• abuse
• www

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sandra
• adam
• frank
• linda
• julie
• jimmy
• jerry
• helen
• debby
• claudia
• brenda
• anna
• sales
• brent
• paul
• ted
• fred
• jack
• bill
• stan
• smith
• steve
• matt
• dave
• dan
• joe
• jane
• bob
• robert
• peter
• tom
• ray
• mary
• serg
• brian
• jim
• maria
• leo
• jose
• andrew
• sam
• george
• david
• kevin
• mike
• james
• michael
• alex
• josh
• john

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

• gate.
• ns.
• relay.
• mail1.
• mxs.
• mx1.
• smtp.
• mail.
• mx.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. 

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender - Uses infected user's domain name, chooses from the following list of prefaces)

• register
• mail
• accounts
• administrator

Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as)

• Notice of account limitation
• Email Account Suspension
• Security measures
• You are banned!!!
• We have suspended your account
• Members Support
• Important Notification
• Warning Message: Your services near to be closed.
• Your Account is Suspended For Security Reasons
• *DETECTED* Online User Violation
• *WARNING* Your email account is suspended
• Your Account is Suspended

Body:  (Varies, such as) 

• Dear %Domain% Member,
  
  Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
  
  Virtually yours,
  The %Domain% Support Team
  
• Dear %Domain% Member,
  
  We have temporarily suspended your email account %Address% .
  
  This might be due to either of the following reasons:
  
  1. A recent change in your personal information (i.e. change of address).
  2. Submiting invalid information during the initial sign up process.
  3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
  See the attached details to reactivate your %Domain% account.
  
  Sincerely,The %Domain% Support Team
  
• Some information about your %Domain% account is attached.
  

Attachment: (Varies - chooses from the following list of prefaces)

• account-report
• readme
• document
• account-info
• email-details
• account-details
• information
• important-details

The attachment name may have one or two file extensions, in which case multiple spaces may be inserted as well, for example:

• document.htm  (many spaces)  .pif

Extensions: (Varies, chooses from the following list)

First extension:

• account-report
• readme
• document
• account-info
• email-details
• account-details
• information
• important-details

Final extension:

• bat
• cmd
• exe
• scr
• pif

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation

When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as winlogons.exe. 

Registry keys are created to load the worm at startup:

• HKEY_USERS\Default\Software\Microsoft\Windows\
  CurrentVersion\Run "Win32 Drivers" = winlogons.exe
• HKEY_USERS\Default\Software\Microsoft\Windows\
  CurrentVersion\RunOnce "Win32 Drivers" = winlogons.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Win32 Drivers" = winlogons.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\RunOnce "Win32 Drivers" = winlogons.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Win32 Drivers" = winlogons.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\RunOnce "Win32 Drivers" = winlogons.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\RunServices "Win32 Drivers" = winlogons.exe

Another key is created, to register a service for the worm file:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\
  Services\s***

(Characters used have been replaced with *s)

Symptoms

Symptoms -

The Sdbot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

• l33t.freeshellz.org

For more information on Sdbot spreading functionality, see the following description:
http://vil.nai.com/vil/content/v_100454.htm

Method of Infection

Method of Infection -

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• wab
• html
• pl
• adbh
• tbbg
• dbxn
• aspd
• phpq
• xmls
• cgil
• jspl
• shtl
• htmb

The worm avoids certain address, those using the following strings:

• accoun
• certific
• listserv
• ntivi
• support
• icrosoft
• admin
• page
• the.bat
• gold-certs
• ca
• feste
• submit
• not
• help
• service
• privacy
• somebody
• no
• soft
• contact
• site
• rating
• bugs
• me
• you
• your
• someone
• anyone
• nothing
• nobody
• noone
• webmaster
• postmaster
• samples
• info
• root
• be_loyal:
• mozilla
• utgers.ed
• tanford.e
• pgp
• acketst
• secur
• isc.o
• isi.e
• ripe.
• arin.
• sendmail
• rfc-ed
• ietf
• iana
• usenet
• fido
• linux
• kernel
• google
• ibm.com
• fsf.
• gnu
• mit.e
• bsd
• math
• unix
• berkeley
• foo.
• .mil
• gov.
• .gov
• ruslis
• nodomai
• mydomai
• example
• inpris
• borlan
• sopho
• panda
• hotmail
• msn.
• icrosof
• syma
• avp
• .edu
• abuse
• www

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sandra
• adam
• frank
• linda
• julie
• jimmy
• jerry
• helen
• debby
• claudia
• brenda
• anna
• sales
• brent
• paul
• ted
• fred
• jack
• bill
• stan
• smith
• steve
• matt
• dave
• dan
• joe
• jane
• bob
• robert
• peter
• tom
• ray
• mary
• serg
• brian
• jim
• maria
• leo
• jose
• andrew
• sam
• george
• david
• kevin
• mike
• james
• michael
• alex
• josh
• john

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

• gate.
• ns.
• relay.
• mail1.
• mxs.
• mx1.
• smtp.
• mail.
• mx.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A