| Name | Win32.Mydoom.b |
| Threat Level |  |
| Alias | Win32.Mydoom.b,W32.Mydoom.B@mm, Mydoom.B, W32/Mydoom.b@MM, WORM_MYDOOM.B, Win32.Mydoom.B |
| Date | 28 January, 2004 |
| Type | Win32,Worm,Trojan |
| Damage | Create files,Send Email,Remote control |
| Platform | Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP |
| Analysis |
Win32.Mydoom.b is a mass-mailing worm which opens a back door on infected machines and attempts to initiate a DoS (Denial of Service) attack on www.microsoft.com.
Microsoft recently released a utility that cleans systems infected by the MyDoom worm (all current versions). The cleaner and additional information are available here.
The arriving email will have the following characteristics:
Sender: The sender of this message is usually NOT the person responsible for the infection - this information is falsely generated by the worm.
Subject: The subject of this mail will be any one of the following:
Delivery Error
hello
hi
Mail Delivery System
Mail Transaction Failed
Returned mail
Server Report
Status
Message body: The body of this mail will be one of the following:
- Error #804 occured during SMTP session. Partial message has been received.
- Mail transaction failed. Partial message is available.
- sendmail daemon reported:
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The message contains MIME-encoded graphics and has been sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary attachment.
Attached File: The attachment will have one of the following extensions:
.bat
.cmd
.exe
.pif
.scr
.zip
Malicious activity
When the worm is executed, it does the following:
1. It drops the file ctfmon.dll to the default System folder. This file opens a TCP listening ports 3127 through 3198. This backdoor may allow a remote hacker gain illegal access to infected systems.
2. In order to run on every startup, the worm creates the following registry entries:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
"(Default)" = "sysdir\ctfmon.dll"
This ensures the backdoor component will run whenever Windows Explorer is executed. And:
HKEY_CURRENT_USER\Software\Microsft\Windows\ CurrentVersion\Run
"Explorer" = "sysdir\Explorer.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
"Explorer" = "sysdir\Explorer.exe"
These entries ensure Windows Explorer will execute whenever Windows is restarted.
3. The worm also includes a hard coded list of sites which it will block access to on infected machines.
4. It will then attempt to perform a DoS attack on www.microsoft.com.
5. Finally, the worm will harvest addresses from all of the following file types, and send itself to those addresses using its own SMTP engine:
.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt
.wab
eSafe Users
eSafe users are protected against this vandal using the latest vandal/virus update.
A new vandal/virus update is available.
Update date: 28 January 2004
Update version: EV114-SV285
eSafe Gateway and eSafe Mail Users
Your product will be automatically updated.
You can also use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
