|
W32/MyDoom.B Virus
Original issue date: January 28, 2004
Last revised: February 2, 2004
Systems Affected
- Systems running Microsoft Windows
Overview
US-CERT has received reports of a mass-mailing virus known as W32/MyDoom.B.
A variant of the W32/MyDoom (W32/Novarg.A) virus has been identified that infects Microsoft Windows systems. This variant is called W32/MyDoom.B. Like its predecessor, W32/MyDoom.B propagates via email and P2P networks and requires that a user intentionally run an executable file in order to infect a system.
W32/MyDoom.B may be designed to cease functioning on March 1, 2004.
Identifying Characteristics
When W32/MyDoom.B is executed, it may show garbled text (random bytes) in notepad.exe or it may display a bogus memory error dialog.
Email messages
The following text may appear in an email message carying the virus.
From: field
In at least some cases, W32/MyDoom.B spoofs the From: address using {random_string}@{aol, msn, yahoo, hotmail}.com.
Subject: field
Body
The message body may include one of the following:
[random characters]
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
sendmail daemon reported: Error #804 occured during SMTP session. Partial message has been received.
The message contains Unicode characters and has been sent as a binary attachment.
The message contains MIME-encoded graphics and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment
The attachment may be named {body, doc, text, document, data, file, readme, message}.{exe, bat, scr, cmd, pif}.
P2P file sharing networks
On P2P networks, W32/MyDoom.B may appear as a file named {attackXP-1.26,
BlackIce_Firewall_Enterpriseactivation_crack, MS04-01_hotfix, NessusScan_pro, icq2004-final, winamp5,
xsharez_scanner, zapSetup_40_148}.{exe, scr, pif, bat}.
File System and Registry Modifications
As part of its infection routine, W32/MyDoom.B attempts create files and add entries to the Windows registry.
Depending on the privileges of the user executing the virus, these changes may not be permitted.
-
The virus creates two files (explorer.exe and ctfmon.dll)
in the Windows system directory (%windir%\system32 on Windows NT/2000/XP, %windir%\system on Windows 95/98/ME). explorer.exe is the main
virus executable, and ctfmon.dll provides backdoor functionality. explorer.exe uses a custom icon that resembles a text file.
Note that the legitimate Windows Explorer shell binary, also named explorer.exe,
exists in the Windows directory (%windir%) and that ctfmon.exe is a legitimate Microsoft Office XP binary that is installed in the Windows
system directory.
The virus overwrites the hosts file (%windir%\system32\drivers\etc\hosts on Windows NT/2000/XP, %windir%\hosts on Windows 95/98/ME) to prevent DNS resolution for a number of sites,
including several antivirus vendors.
127.0.0.1 localhost localhost.localdomain local lo
0.0.0.0 0.0.0.0
0.0.0.0 engine.awaps.net awaps.net www.awaps.net ad.doubleclick.net
0.0.0.0 spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
0.0.0.0 media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net
0.0.0.0 ads.fastclick.net banner.fastclick.net banners.fastclick.net
0.0.0.0 www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
0.0.0.0 ftp.f-secure.com securityresponse.symantec.com
0.0.0.0 www.symantec.com symantec.com service1.symantec.com
0.0.0.0 liveupdate.symantec.com update.symantec.com updates.symantec.com
0.0.0.0 support.microsoft.com downloads.microsoft.com
0.0.0.0 download.microsoft.com windowsupdate.microsoft.com
0.0.0.0 office.microsoft.com msdn.microsoft.com go.microsoft.com
0.0.0.0 nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com
0.0.0.0 networkassociates.com avp.ru www.avp.ru www.kaspersky.ru
0.0.0.0 www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
0.0.0.0 avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
0.0.0.0 download.mcafee.com mast.mcafee.com www.trendmicro.com
0.0.0.0 www3.ca.com ca.com www.ca.com www.my-etrust.com
0.0.0.0 my-etrust.com ar.atwola.com phx.corporate-ir.net
0.0.0.0 www.microsoft.com
On February 3, 2004, W32/MyDoom.B removes the entry for www.microsoft.com.
Information about these files for at least one sample of W32/MyDoom.B is as follows:
File Name
|
Size
|
MD5 Sum
|
explorer.exe
|
29,184 bytes
|
cc6e6aa338385fbb0a005ba3d3e060f3
|
ctfmon.dll
|
6,144 bytes
|
1a6b3aef25226861245adc1a93ce161c
|
hosts (before Feb 3 2004)
|
1,464 bytes
|
b954a35fc0cf35a38edf1ac4cef84756
|
hosts (on and after Feb 3 2004)
|
1,435 bytes
|
349401796319849b7748dabe0120104f
|
-
The virus copies itself to a shared P2P directory (typically \Program Files\KaZaA\My Shared
Folder). This copy of the virus may be named {attackXP-1.26, BlackIce_Firewall_Enterpriseactivation_crack,
MS04-01_hotfix, NessusScan_pro, icq2004-final, winamp5, xsharez_scanner, zapSetup_40_148}.{exe, scr, pif, bat}.
-
The virus modifies the registry to execute the virus when a user logs on and to reference the backdoor component.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Explorer"="C:\WINDOWS\system32\explorer.exe"
[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
@="%SystemRoot%\System32\ctfmon.dll"
(REG_EXPAND_SZ)
This value is normally set to %SystemRoot%\System32\webcheck.dll (REG_EXPAND_SZ)
Network Activity
In addition to file system and registry changes, W32/MyDoom.B generates network traffic and installs a backdoor.
-
In its mass-mailing capacity, W32/MyDoom.B harvests email addresses from an infected system and attempts to
deliver itself using a self-contained SMTP engine. A notable secondary effect is that antivirus scanners on
email servers frequently generate automatic responses to infected messages, and in some cases these responses also contain the virus. These messages may in turn generate
non-delivery reports and bounce messages since the virus frequently spoofs the From: address.
The virus ignores email addresses containing strings in {abuse, accoun, certific, listserv, ntivi, icrosoft,
admin, page, the.bat, gold-certs, feste, submit, help, service, privacy, somebody, soft, contact, site, rating,
bugs, your, someone, anyone, nothing, nobody, noone, webmaster, postmaster, support, samples, info, root, ruslis,
nodomai, mydomai, example, inpris, borlan, nai., sopho, foo., .mil, gov., .gov, panda, icrosof, syma, kasper,
mozilla, utgers.ed, tanford.e, acketst, secur, isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, iana, usenet,
fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix, berkeley, spam}.
-
The backdoor component (ctfmon.dll) opens the first available TCP port in {1080, 3128,
80, 8080, 10080}. The virus may accept commands, execute additional code, or act as a TCP proxy (think SPAM).
-
The virus scans for systems listening on 3127/TCP (possibly 3127-3198). While the purpose of this
scanning is unclear, it may be an attempt to contact systems infected with the initial version of MyDoom (W32/Novarg.A).
-
The virus appears be designed to launch distributed denial-of-service (DDoS) attacks against www.sco.com on February
1, 2004 and against www.microsoft.com on February 3, 2004. W32/MyDoom.B removes the www.microsoft.com entry from the hosts file on February 3, 2004.
Network traffic generated by W32/MyDoom.B (scanning, email, DDoS) may cause collateral denial-of-service
conditions in networks where a significant number of systems are infected, large volumes of virus-related email
are handled, or DDoS traffic is aggregated.
III. Solutions
For System and Network Administrators
Filter network traffic
W32/MyDoom.B opens a listening TCP port on one of {1080, 3128, 80, 8080, 10080}. Limited testing indicates that the virus scans for port 3127/TCP. Sites should consider blocking both
inbound and outbound traffic to these ports, depending on network requirements, at the host and network level.
If access cannot be blocked for all external hosts, limit access to only those hosts that require it for normal operation. As a general best security practice, filter all network traffic that is not required for normal operation.
Infected systems may be detected by outbound TCP flows to port 3127 (possibly 3127-3198) or open TCP ports on {1080, 3128, 80,
8080, 10080}. Other symptoms of infection could be increased CPU load or increased outbound SMTP traffic.
Filter email on servers
Scan email for viruses or use the functionality of various mail transfer agents (MTAs) to block email with the
characteristics of W32/MyDoom.B. Consider the impacts of false positives,
increased complexity, and increased server loads before making changes to production systems.
Also, consider disabling automatic response messages to the apparent senders of infected messages. At minimum, make sure that responses DO NOT return the virus attachment.
For Users
Do not run programs of unknown origin
Never download, install, or run a program unless you know it to be
authored by a person or company that you trust. Email users should be
wary of unexpected attachments, and users of P2P file-sharing services
should be wary of executable files obtained from other users.
Run and maintain an antivirus product
While an up-to-date antivirus software package cannot protect
against all malicious code, for most users it remains the best
first line of defense against malicious code attacks. Users may wish
to read IN-2003-01 for more information on
antivirus software and security issues.
In order to detect recently released viruses such as W32/MyDoom.B,
it is crucial to maintain updated virus signatures. Many antivirus
packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when available.
Most antivirus software vendors release updated virus signatures,
removal tools, and information to help detect and recover from
malicious code, including W32/MyDoom.B.
A partial list
of antivirus vendors is available on the CERT/CC web site.
Recovery
Identify and terminate the virus process (explorer.exe) using the Windows Task
Manager, taskkill.exe (Windows XP), tlist.exe and kill.exe (Windows NT/2000 Resource Kit), or a third party utility. Remove the files and
registry entries created by the virus. Restore or recreate the hosts file.
Alternatively, use a specific W32/MyDoom.B removal tool from an antivirus vendor.
Appendix A. References
Reporting
US-CERT is tracking activity related to this worm as
CERT#25304. Relevant artifacts or activity reports can be sent to <cert@cert.org> with the appropriate CERT#25304 in the subject field.
This document was developed based on material contributed by iDEFENSE.
iDEFENSE Intelligence Operations - http://www.idefense.com/
F-Secure Corporation - http://www.f-secure.com/v-descs/mydoom_b.shtml
Bit Defender - http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=186
Sensible Security Solutions Inc. - http://www.sss.ca/
Copyright 2004 Carnegie Mellon University. Terms of use
Revision History
January 28, 2004: Initial release
January 28, 2004: Updated registry reference, fixed typos, added hosts file information
January 30, 2004: Updated document structure and language
February 2, 2004: Updated hosts file and www.microsoft.com information, changed heading formats
|
|
|
Last
updated
February 08, 2008
|
|