[<prev] [next>] [day] [month] [year] [list]
Message-ID: <TA04-028A.2684AA7__36137.4579290443$1075776977@us-cert.gov>
Date: Wed, 28 Jan 2004 19:12:09 -0500
From: CERT Advisory <cert-advisory@...t.org>
To: US-CERT Community: ;
Subject: US CERT Technical Alert TA04-028A MyDoom.B Rapidly Spreading
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MyDoom.B Rapidly Spreading
Mydoom.B is a new variant of the Mydoom worm and is about 29,184
bytes. This variant attempts to perform a Distributed Denial of
Service (DDoS) attack against Microsoft.com. Details regarding this
new worm are still emerging, but it has been validated as spreading in
the wild. Facts about the worm will be further qualified with follow
up reports following this initial analysis.
For the latest information about this worm from US-CERT, readers are
encouraged to visit http://www.us-cert.gov/cas/techalerts/TA04-028A.html.
E-mails sent out by Mydoom.B are highly randomized. The From address
may be spoofed to include one of the following domains: aol.com,
msn.com, yahoo.com and hotmail.com. A randomized string value may then
be combined with these to generate new e-mails. This may result in
overload e-mail servers with many false addresses and auto-replies
associated with such traffic.
The subject is randomized to include one of the following
following:
* Delivery Error
* hello
* Error
* Mail Delivery System
* Mail Transaction Failed
* Returned mail
* Server Report
* Status
* Unable to deliver the message
The subject may also contain randomized data as seen in a recent live
sample: "RE: I still love you fLctv".
The message body is also randomized to include one of the
following:
* RANDOMIZED CHARACTERS
* test
* The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
* sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received.
* The message contains Unicode characters and has been sent as a
binary attachment.
* The message contains MIME-encoded graphics and has been sent as a
binary attachment.
* Mail transaction failed. Partial message is available.
The attachments have a randomized filename selected from one of the
following string values:
* body
* doc
* text
* document
* data
* file
* readme
* message
The randomized string value is then combined with a randomized
extension: .exe, .bat, .scr, .cmd or .pif. If the malicious attachment
is executed, it then opens notepad.exe and displays garbled data
(binary).
Once executed, the worm attempts to create the following files in the
Windows System directory: explorer.exe and dtfmon.dll. The Windows
registry is then modified to run the worm in memory upon Windows
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Explorer=C:WINDOWS SYSTEM DIRECTORY\explorer.exe
The DLL component is associated with a backdoor feature of this worm.
It is likely that this Trojan worms like the one in Mydoom.A. It scans
through a range of TCP addresses looking for inbound TCP traffic.
Inbound TCP traffic can be used to configure the infected computer as
a proxy computer or to install code of choice on the infected
computer. More importantly, attackers are already working on tools to
hijack Mydoom infected computers to install code of choice.
The DDoS attack of Mydoom.B is against www.microsoft.com. There is
information claiming that it may also be directed at sco.com, but this
is unsubstantiated at this time. It appears that the more credible
data is that it only performs a DDoS attack against www.microsoft.com,
though a previosu version of the virus is confirmed to attack SCO.
To spread over the KaZaA P2P network, Mydoom.B creates copies of
itself in the KaZaA shared directory with randomized filenames.
Filenames include:
* attackXP-1.26
* BlackIce_Firewall_Enterpriseactivation_crack
* MS04-01_hotfix
* NessusScan_pro
* icq2004-final
* winamp5
* xsharez_scanner
* zapSetup_40_148
A randomized extension is then added to the filename selected above,
being .exe, .scr, .pif or .bat.
Mydoom.B attempts to harvest e-mails from Temporary Internet files as
well as via randomized e-mails aforementioned. It does not include any
e-mails containing the following strings: abuse, accoun, certific,
listserv, ntivi, icrosoft, admin, page, the.bat, gold-certs, feste,
submit, help, service, privacy, somebody, soft, contact, site, rating,
bugs, your, someone, anyone, nothing, nobody, noone, webmaster,
postmaster, support, samples, info, root, ruslis, nodomai, mydomai,
example, inpris, borlan, nai., sopho, foo., .mil, gov., .gov, panda,
icrosof, syma, kasper, mozilla, utgers.ed, tanford.e, acketst, secur,
isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, iana, usenet,
fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix,
berkeley and spam.
Mydoom.B also opens TCP port 10080. The worm contains the following
string: "sync-1.01; andy; I'm just doing my job, nothing personal,
sorry".
Alias: Mydoom, Novarg, Mydoom.B
Sources:
F-Secure Corp. (http://www.f-secure.com/v-descs/mydoom_b.shtml),
Jan. 28, 2004
Bit Defender
(http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=186),
Jan. 28, 2004
iDEFENSE Intelligence Operations, Jan. 28, 2004 Sensible Security
Solutions Inc. (http://www.sss.ca/), Jan. 28, 2004
According to iDEFENSE, this new variant of Mydoom appears to have
different MIMI data for malicious e-mails. The content type appears to
be plain text and includes a ZIP extension. Mydoom.A had a content
type of application/octet-stream and multipart/mixed data. It is
likely that this newest variant of Mydoom will become very widespread
in the wild. The first variant had well over 3M interceptions by just
two sources in the first 18 hours of the outbreak.
Look for questionable files about 29,184 bytes. Look for notepad.exe
to be opened, displaying binary data (garbled text). Also look for the
Windows registry created by the worm.
Recovery: Remove all files and the Windows registry key modifications
associated with this malicious code threat. Restore corrupted or
damaged files with clean backup copies.
Workaround: Configure e-mail servers and workstations to block file
types commonly used by malicious code to spread to other computers.
Block ZIP and executable extensions on the gateway and groupware
level. Also monitor traffic on the network and block ports associated
with Mydoom, especially inbound TCP ports for the backdoor Trojan
component and the outbound TCP 10080 port data. Administrators may
also find value in monitoring traffic associated with the DDoS
component. Carefully manage all new files, scanning them with updated
anti-virus software using heuristics prior to use.
Vendor Fix: Anti-virus vendors will likely release updated signature
files to protect against this malicious code in the near future. Some
anti-virus applications may detect this malicious code heuristically.
Name of Malicious Code: Mydoom.B
Aliases:
Mydoom.B
Mydoom
Novarg
Size in Bytes: 29184
Subjects: RE: I still love you fLctv
Body: Error 551: We are sorry your UTF-8 encoding is not supported
by the server, so the text was automatically zipped and attached to
this message.
Attachments: message.zip
This document was developed based on material contributed by iDEFENSE.
Our thanks for their contribution.
Last updated January 28, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAGEufXlvNRxAkFWARAjEOAJ92cfCtcUVX+/6CGoRwGj7mIbxhzQCg0mdJ
/ip1ThurA7opfYb0JUET2UI=
=j+iB
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists