Content
W32/Mydoom.bv@MM
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 08/16/2005
- Length
- 79,936 bytes (UPXed)
- Minimum DAT
- 4559 (08/16/2005)
- Updated DAT
- 4559 (08/16/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 08/16/2005
- Description Modified
- 08/16/2005 7:43 AM (PT)
Tab Navigation
Characteristics
This is a mass-mailing worm that bears the following characteristics:
- contains its own SMTP engine to construct outgoing messages, harvesting email addresses from the victim machine
- propagates via the Windows Plug and Play vulnerability (MS05-039)
- contains a backdoor component (TCP 80, or random TCP port)
- terminates various processes (security/AV software)
- lowers security settings on victim machine
This worm contains similar MS05-039 exploit code that is present in recent W32/Zotob.worm and W32/Sdbot.worm variants.
The exploit propagation code works in the same fashion, by instructing remote systems to FTP the virus from the infected host to download and execute it locally.
VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.
Symptoms
- Existence of the files and registry entry listed below
- Modification of the Windows firewall settings, via setting the following Registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy\DomainProfile
\AuthorizedApplications\List "%executed_file%" - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List "%executed_file%" - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\DomainProfile
\AuthorizedApplications\List "%executed_file%" - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List "%executed_file%"
Each is set to the following value:
- %executed_file%::*:Enabled:%executed_filename%
where %executed_file% is the full path to the executed copy of the worm, and %executed_filename% is the filename.
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
- Addition of the value:
- "EnableFirewall" = "0"
To the following keys:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy\DomainProfile - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\DomainProfile - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- Addition of the value:
- "DisableRegistryTools" = "0"
To the following keys:
- HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Policies - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\policies
- Unexpected termination of one of the following processes:
- Lien Van de Kelderrr.exe
- winshost.exe
- msnmsgr.exe
- wfdmgr.exe
- OUTPOST.EXE
- IAOIN.EXE
- RB.EXE
- b055262c.dll
- backdoor.rbot.gen.exe
- backdoor.rbot.gen_(17).exe
- msssss.exe
- rasmngr.exe
- dailin.exe
- wowpos32.exe
- wuamgrd.exe
- taskmanagr.exe
- wuamga.exe
- ATUPDATER.EXE
- AVWUPD32.EXE
- AVPUPD.EXE
- LUALL.EXE
- DRWEBUPW.EXE
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- UPDATE.EXE
- NUPGRADE.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVXQUAR.EXE
- CFIAUDIT.EXE
- MCUPDATE.EXE
- NUPGRADE.EXE
- Systra.exe
- RAVMOND.exe
- GfxAcc.exe
- VisualGuard.exe
- WIN-BUGSFIX.EXE
- WIN32.EXE
- WIN32US.EXE
- WINACTIVE.EXE
- WINDOW.EXE
- WINDOWS.EXE
- WININETD.EXE
- WININIT.EXE
- WININITX.EXE
- WINLOGIN.EXE
- WINMAIN.EXE
- WINPPR32.EXE
- WINRECON.EXE
- WINSSK32.EXE
- WINSTART.EXE
- WINSTART001.EXE
- WINTSK32.EXE
- WINUPDATE.EXE
- WKUFIND.EXE
- WNAD.EXE
- WNT.EXE
- WRADMIN.EXE
- WRCTRL.EXE
- WUPDATER.EXE
- WUPDT.EXE
- WYVERNWORKSFIREWALL.EXE
- XPF202EN.EXE
- ZAPRO.EXE
- ZAPSETUP3001.EXE
- ZATUTOR.EXE
- ZONALM2601.EXE
- ZONEALARM.EXE
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- HIJACKTHIS.EXE
- F-AGOBOT.EXE
- Disabling of access to various remote sites, via addition of the following to the local HOSTS file:
- 127.0.0.1 avp.com
- 127.0.0.1 ca.com
- 127.0.0.1 customer.symantec.com
- 127.0.0.1 dispatch.mcafee.com
- 127.0.0.1 download.mcafee.com
- 127.0.0.1 downloads-eu1.kaspersky-labs.com
- 127.0.0.1 downloads-us1.kaspersky-labs.com
- 127.0.0.1 downloads1.kaspersky-labs.com
- 127.0.0.1 downloads2.kaspersky-labs.com
- 127.0.0.1 downloads3.kaspersky-labs.com
- 127.0.0.1 downloads4.kaspersky-labs.com
- 127.0.0.1 f-secure.com
- 127.0.0.1 kaspersky-labs.com
- 127.0.0.1 kaspersky.com
- 127.0.0.1 liveupdate.symantec.com
- 127.0.0.1 liveupdate.symantecliveupdate.com
- 127.0.0.1 mast.mcafee.com
- 127.0.0.1 mcafee.com
- 127.0.0.1 microsoft.com
- 127.0.0.1 my-etrust.com
- 127.0.0.1 nai.com
- 127.0.0.1 networkassociates.com
- 127.0.0.1 oxyd.fr
- 127.0.0.1 pandasoftware.com
- 127.0.0.1 rads.mcafee.com
- 127.0.0.1 secure.nai.com
- 127.0.0.1 securityresponse.symantec.com
- 127.0.0.1 sophos.com
- 127.0.0.1 symantec.com
- 127.0.0.1 t35.com
- 127.0.0.1 t35.net
- 127.0.0.1 trendmicro.com
- 127.0.0.1 update.symantec.com
- 127.0.0.1 updates.symantec.com
- 127.0.0.1 us.mcafee.com
- 127.0.0.1 viruslist.com
- 127.0.0.1 virustotal.com
- 127.0.0.1 www.avp.com
- 127.0.0.1 www.ca.com
- 127.0.0.1 www.f-secure.com
- 127.0.0.1 www.grisoft.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 www.mcafee.com
- 127.0.0.1 www.microsoft.com
- 127.0.0.1 www.my-etrust.com
- 127.0.0.1 www.nai.com
- 127.0.0.1 www.networkassociates.com
- 127.0.0.1 www.oxyd.fr
- 127.0.0.1 www.pandasoftware.com
- 127.0.0.1 www.sophos.com
- 127.0.0.1 www.symantec.com
- 127.0.0.1 www.t35.com
- 127.0.0.1 www.t35.net
- 127.0.0.1 www.trendmicro.com
- 127.0.0.1 www.viruslist.com
- 127.0.0.1 www.virustotal.com
Method of Infection
Installation
Upon execution, the worm copies itself several times to the victim machine. The following two copies are always made:
- %WinDir%\msdefr.exe
- %WinDir%\nb32ext2.exe
Additional copies may also be made with one of the following filenames:
- %WinDir%\services.exe
- %WinDir%\winlogon.exe
- %WinDir%\csrss.exe
- %WinDir%\smss.exe
System startup is hooked via addition of the following Registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\RunServices "helloworld" = nb32ext2.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run "RPCserv32g" = %WinDir%\services.exe
Additionally, the following key is modified to run the worm at startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Winlogon "Userinit"
From:
- %SysDir%\userinit.exe,
To:
- %SysDir%\userinit.exe,%WinDir%\services.exe,
(where %SysDir% is the Windows system directory, for example: c:\windows\system32)
MS05-039 Propagation
The worm generates random IP addresses in order to find remote machines to infect.
Mail Propagation
Target email addresses are harvested from files on the victim machine - files with the following extensions are searched:
- asp
- cgi
- dbx
- dht
- eml
- htm
- html
- jsp
- mbx
- mht
- msg
- php
- sht
- stm
- tbb
- uin
- wab
The worm may also retrieve addresses from the Windows address book, temporary internet folders and files within the user documents.
Outgoing messages are constructed using the worms own SMTP engine. Variable subject lines, message bodies and attachment filenames may be used. The attachment filename may contain two file extensions, with multiple spaces in between them.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- Backdoor.Win32.Surila.x (AVP)
- W32.Bobax.AF@mm (Symantec)
- W32/MyDoom-Gen (Sophos)
- Win32/MyDoom.79936!Worm (CA)
- WORM_BOBAX.AD (Trend)
Characteristics
Characteristics -
This is a mass-mailing worm that bears the following characteristics:
- contains its own SMTP engine to construct outgoing messages, harvesting email addresses from the victim machine
- propagates via the Windows Plug and Play vulnerability (MS05-039)
- contains a backdoor component (TCP 80, or random TCP port)
- terminates various processes (security/AV software)
- lowers security settings on victim machine
This worm contains similar MS05-039 exploit code that is present in recent W32/Zotob.worm and W32/Sdbot.worm variants.
The exploit propagation code works in the same fashion, by instructing remote systems to FTP the virus from the infected host to download and execute it locally.
VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.
Symptoms
Symptoms -
- Existence of the files and registry entry listed below
- Modification of the Windows firewall settings, via setting the following Registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy\DomainProfile
\AuthorizedApplications\List "%executed_file%" - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List "%executed_file%" - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\DomainProfile
\AuthorizedApplications\List "%executed_file%" - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List "%executed_file%"
Each is set to the following value:
- %executed_file%::*:Enabled:%executed_filename%
where %executed_file% is the full path to the executed copy of the worm, and %executed_filename% is the filename.
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
- Addition of the value:
- "EnableFirewall" = "0"
To the following keys:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy\DomainProfile - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\DomainProfile - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- Addition of the value:
- "DisableRegistryTools" = "0"
To the following keys:
- HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Policies - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\policies
- Unexpected termination of one of the following processes:
- Lien Van de Kelderrr.exe
- winshost.exe
- msnmsgr.exe
- wfdmgr.exe
- OUTPOST.EXE
- IAOIN.EXE
- RB.EXE
- b055262c.dll
- backdoor.rbot.gen.exe
- backdoor.rbot.gen_(17).exe
- msssss.exe
- rasmngr.exe
- dailin.exe
- wowpos32.exe
- wuamgrd.exe
- taskmanagr.exe
- wuamga.exe
- ATUPDATER.EXE
- AVWUPD32.EXE
- AVPUPD.EXE
- LUALL.EXE
- DRWEBUPW.EXE
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- UPDATE.EXE
- NUPGRADE.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVXQUAR.EXE
- CFIAUDIT.EXE
- MCUPDATE.EXE
- NUPGRADE.EXE
- Systra.exe
- RAVMOND.exe
- GfxAcc.exe
- VisualGuard.exe
- WIN-BUGSFIX.EXE
- WIN32.EXE
- WIN32US.EXE
- WINACTIVE.EXE
- WINDOW.EXE
- WINDOWS.EXE
- WININETD.EXE
- WININIT.EXE
- WININITX.EXE
- WINLOGIN.EXE
- WINMAIN.EXE
- WINPPR32.EXE
- WINRECON.EXE
- WINSSK32.EXE
- WINSTART.EXE
- WINSTART001.EXE
- WINTSK32.EXE
- WINUPDATE.EXE
- WKUFIND.EXE
- WNAD.EXE
- WNT.EXE
- WRADMIN.EXE
- WRCTRL.EXE
- WUPDATER.EXE
- WUPDT.EXE
- WYVERNWORKSFIREWALL.EXE
- XPF202EN.EXE
- ZAPRO.EXE
- ZAPSETUP3001.EXE
- ZATUTOR.EXE
- ZONALM2601.EXE
- ZONEALARM.EXE
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- HIJACKTHIS.EXE
- F-AGOBOT.EXE
- Disabling of access to various remote sites, via addition of the following to the local HOSTS file:
- 127.0.0.1 avp.com
- 127.0.0.1 ca.com
- 127.0.0.1 customer.symantec.com
- 127.0.0.1 dispatch.mcafee.com
- 127.0.0.1 download.mcafee.com
- 127.0.0.1 downloads-eu1.kaspersky-labs.com
- 127.0.0.1 downloads-us1.kaspersky-labs.com
- 127.0.0.1 downloads1.kaspersky-labs.com
- 127.0.0.1 downloads2.kaspersky-labs.com
- 127.0.0.1 downloads3.kaspersky-labs.com
- 127.0.0.1 downloads4.kaspersky-labs.com
- 127.0.0.1 f-secure.com
- 127.0.0.1 kaspersky-labs.com
- 127.0.0.1 kaspersky.com
- 127.0.0.1 liveupdate.symantec.com
- 127.0.0.1 liveupdate.symantecliveupdate.com
- 127.0.0.1 mast.mcafee.com
- 127.0.0.1 mcafee.com
- 127.0.0.1 microsoft.com
- 127.0.0.1 my-etrust.com
- 127.0.0.1 nai.com
- 127.0.0.1 networkassociates.com
- 127.0.0.1 oxyd.fr
- 127.0.0.1 pandasoftware.com
- 127.0.0.1 rads.mcafee.com
- 127.0.0.1 secure.nai.com
- 127.0.0.1 securityresponse.symantec.com
- 127.0.0.1 sophos.com
- 127.0.0.1 symantec.com
- 127.0.0.1 t35.com
- 127.0.0.1 t35.net
- 127.0.0.1 trendmicro.com
- 127.0.0.1 update.symantec.com
- 127.0.0.1 updates.symantec.com
- 127.0.0.1 us.mcafee.com
- 127.0.0.1 viruslist.com
- 127.0.0.1 virustotal.com
- 127.0.0.1 www.avp.com
- 127.0.0.1 www.ca.com
- 127.0.0.1 www.f-secure.com
- 127.0.0.1 www.grisoft.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 www.mcafee.com
- 127.0.0.1 www.microsoft.com
- 127.0.0.1 www.my-etrust.com
- 127.0.0.1 www.nai.com
- 127.0.0.1 www.networkassociates.com
- 127.0.0.1 www.oxyd.fr
- 127.0.0.1 www.pandasoftware.com
- 127.0.0.1 www.sophos.com
- 127.0.0.1 www.symantec.com
- 127.0.0.1 www.t35.com
- 127.0.0.1 www.t35.net
- 127.0.0.1 www.trendmicro.com
- 127.0.0.1 www.viruslist.com
- 127.0.0.1 www.virustotal.com
Method of Infection
Method of Infection -
Installation
Upon execution, the worm copies itself several times to the victim machine. The following two copies are always made:
- %WinDir%\msdefr.exe
- %WinDir%\nb32ext2.exe
Additional copies may also be made with one of the following filenames:
- %WinDir%\services.exe
- %WinDir%\winlogon.exe
- %WinDir%\csrss.exe
- %WinDir%\smss.exe
System startup is hooked via addition of the following Registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\RunServices "helloworld" = nb32ext2.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run "RPCserv32g" = %WinDir%\services.exe
Additionally, the following key is modified to run the worm at startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Winlogon "Userinit"
From:
- %SysDir%\userinit.exe,
To:
- %SysDir%\userinit.exe,%WinDir%\services.exe,
(where %SysDir% is the Windows system directory, for example: c:\windows\system32)
MS05-039 Propagation
The worm generates random IP addresses in order to find remote machines to infect.
Mail Propagation
Target email addresses are harvested from files on the victim machine - files with the following extensions are searched:
- asp
- cgi
- dbx
- dht
- eml
- htm
- html
- jsp
- mbx
- mht
- msg
- php
- sht
- stm
- tbb
- uin
- wab
The worm may also retrieve addresses from the Windows address book, temporary internet folders and files within the user documents.
Outgoing messages are constructed using the worms own SMTP engine. Variable subject lines, message bodies and attachment filenames may be used. The attachment filename may contain two file extensions, with multiple spaces in between them.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
