| Name | Win32.Mydoom.a |
| Threat Level |  |
| Alias | Win32.Mydoom.a,W32.Novarg.A@mm, W32/Mydoom@MM, WORM_MIMAIL.R |
| Date | 26 January, 2004 |
| Type | Win32,Worm,Trojan |
| Damage | Send Email,Create files,Remote control |
| Platform | Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP |
| Analysis |
Win32.Mydoom.a is a mass-mailing worm which uses its own SMTP engine to spread. The worm also opens a backdoor on infected systems, performs a DoS (Denial of Service) attack and has an expiration date.
Microsoft recently released a utility that cleans systems infected by the MyDoom worm (all current versions). The cleaner and additional information are available here.
The arriving email will have the following characteristics:
Sender: The sender information is falsely generated by the worm (spoofed).
Subject: The subject of this mail will usually be pre-generated by the virus from an internal list of subjects.
Message body: The body of this mail will usually be pre-generated by the virus from an internal list of mail bodies. The message may display a fake encoding-related error message.
Attached File: Random filename with one of the following extensions:
.bat
.cmd
.exe
.pif
.scr
.zip
Malicious activity
When the archived file is executed it does the following:
1. Initially, the worm drops a file called message in the default Temp directory in Windows. The worm launches Notepad and displays this file, which contains random characters and symbols. This is possibly in order to fool the person openeing the attachment that it is benign.
2. The worm then drops two copies of itself in the background, into the default System folder. The filenames are:
shimgapi.dll
taskmon.exe
The file shimgapi.dll is detected by eSafe as Win32.Mydoom.a.dll.
Another copy will be dropped as follows:
c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
3. In order to execute whenever Windows restarts, the worm adds the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
"TaskMon" = "sysdir\taskmon.exe"
or
HKEY_CURRENT_USER\Software\Microsft\Windows\ CurrentVersion\Run
"TaskMon" = "sysdir\taskmon.exe"
and
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
"(Default)" = "sysdir\shimgapi.dll"
Note: sysdir refers to the default location of the System folder.
4. The worm is capable of performing a DoS (Denial of Service) attack against www.sco.com. This attack is scheduled to take place between February 1, 2004 and February 12, 2004.
5. The worm then scans the system and sends itself to all addresses found using its own SMTP engine. The file types scanned are:
adb
asp
dbx
htm
php
pl
sht
tbb
txt
wab
Note: Addresses that end with the .edu suffix will be ignored.
6. The worm then drops several copies of itself into the default KaZaA download folder as bat, exe, pif or scr files with the following names:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5
7. Finally, the worm opens TCP ports 3127 through 3198 for listening. By using those ports a remote hacker can gain illegal access to the infected machine.
eSafe Users
eSafe users are protected against this vandal using the latest vandal/virus update.
A new vandal/virus update is available.
Update date: 26 January 2004
Update version: EV114-SV282
eSafe Gateway and eSafe Mail Users
Your product will be automatically updated.
You can also use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
