Content

W32/Mydoom.cf

Type
Virus
SubType
Worm
Discovery Date
07/08/2009
Length
Varies
Minimum DAT
5671 (07/09/2009)
Updated DAT
5699 (08/05/2009)
Minimum Engine
5.3.00
Description Added
07/08/2009
Description Modified
07/08/2009 7:10 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This detection is for a variant of the W32/Mydoom virus. This variant may allow for propagation through smtp methods.

Upon execution of the virus, the following registry keys are added to the infected host:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ex_
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ex_\OpenWithList
  • HKEY_CLASSES_ROOT\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}
  • HKEY_CLASSES_ROOT\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}\InProcServer32
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NM
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NM\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NM\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nm\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Security

In order to allow auto-run capabilities, the following registry values are set for the previously created keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "Description"
    Data: Configures and manages performance library information from WMI HiPerf providers.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "DisplayName"
    Data: WMI Performance Configuration
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "ErrorControl"
    Data: [Value]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "ImagePath"
    Data: %SystemRoot%\system32\svchost.exe -k wmiconf
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "ObjectName"
    Data: LocalSystem
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "Start"
    Data: [Value]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "Type"
    Data: [Value]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Parameters "ServiceDll"
    Data: %WinDir%\System32\wmiconf.dll

An attempt is made to update certain network-capable dlls if they are not the expected version. These may include:

  • %WinDir%\system32\drivers\npf.sys
  • %WinDir%\system32\Packet.dll
  • %WinDir%\system32\WanPacket.dll
  • %WinDir%\system32\npptools.dll
  • %WinDir%\system32\packet.dll
  • %WinDir%\system32\WanPacket.dll
  • %WinDir%\system32\wpcap.dll

 

The following files are dropped on the host. These include a list of URLs to contact, as well as a copy of itself and the dll component. :

  • %WinDir%\system32\[random character].nls  - detected as "W32/Mydoom!txt"
  • %WinDir%\system32\wmcfg.exe  - detected as "W32/Mydoom.cf"
  • %WinDir%\system32\wmiconf.dll  - detected as "W32/Mydoom.cf.dll"


Contact may be made with the following addresses to download further malware components:

  • 213.33.[Removed]
  • 216.199.[Removed]
  • 213.023.[Removed]

 

Symptoms

The symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update July 8, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.msnbc.msn.com/id/31789294/ns/technology_and_science-security/

--

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

 

 

 

Characteristics

Characteristics -

This detection is for a variant of the W32/Mydoom virus. This variant may allow for propagation through smtp methods.

Upon execution of the virus, the following registry keys are added to the infected host:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ex_
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ex_\OpenWithList
  • HKEY_CLASSES_ROOT\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}
  • HKEY_CLASSES_ROOT\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}\InProcServer32
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NM
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NM\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NM\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nm\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Security

In order to allow auto-run capabilities, the following registry values are set for the previously created keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "Description"
    Data: Configures and manages performance library information from WMI HiPerf providers.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "DisplayName"
    Data: WMI Performance Configuration
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "ErrorControl"
    Data: [Value]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "ImagePath"
    Data: %SystemRoot%\system32\svchost.exe -k wmiconf
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "ObjectName"
    Data: LocalSystem
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "Start"
    Data: [Value]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig "Type"
    Data: [Value]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Parameters "ServiceDll"
    Data: %WinDir%\System32\wmiconf.dll

An attempt is made to update certain network-capable dlls if they are not the expected version. These may include:

  • %WinDir%\system32\drivers\npf.sys
  • %WinDir%\system32\Packet.dll
  • %WinDir%\system32\WanPacket.dll
  • %WinDir%\system32\npptools.dll
  • %WinDir%\system32\packet.dll
  • %WinDir%\system32\WanPacket.dll
  • %WinDir%\system32\wpcap.dll

 

The following files are dropped on the host. These include a list of URLs to contact, as well as a copy of itself and the dll component. :

  • %WinDir%\system32\[random character].nls  - detected as "W32/Mydoom!txt"
  • %WinDir%\system32\wmcfg.exe  - detected as "W32/Mydoom.cf"
  • %WinDir%\system32\wmiconf.dll  - detected as "W32/Mydoom.cf.dll"


Contact may be made with the following addresses to download further malware components:

  • 213.33.[Removed]
  • 216.199.[Removed]
  • 213.023.[Removed]

 

Symptoms

Symptoms -

The symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Method of Infection -

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A