Content

W32/Mydoom.be@MM

Type
Virus
SubType
E-mail
Discovery Date
02/20/2005
Length
varies
Minimum DAT
4431 (02/21/2005)
Updated DAT
4748 (04/25/2006)
Minimum Engine
5.1.00
Description Added
02/20/2005
Description Modified
02/25/2005 11:48 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update February 25, 2005 --
 The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- 
-- Update 21st Feb 2005 --

Due to increased prevalence, the risk assessment of this threat has been raised to MEDIUM. The specified DAT files will be released early to address this threat.

If you think that you may be infected with W32/Mydoom.be@MM , and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note:
Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

--

This variant W32/Mydoom is similar to previous variants, it bears the following characteristics:

  • mass-mailing worm constructing messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address
  • downloads the BackDoor-CEB.f trojan

Mail Propagation

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:

  • mailer-daemon@(target_domain)
  • noreply@(target_domain)
  • postmaster@(target_domain)

The following display names are used in this case:

  • "Postmaster"
  • "Mail Administrator"
  • "Automatic Email Delivery Software"
  • "Post Office"
  • "The Post Office"
  • "Bounced mail"
  • "Returned mail"
  • "MAILER-DAEMON"
  • "Mail Delivery Subsystem"

Subject:
 The following subjects are used:

  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error

Body:
 The virus constructs messages from pools of strings it carries in its body.

Attachment:
The attachment may be an EXE file with one of the following extensions:

  • EXE
  • COM
  • SCR
  • PIF
  • BAT
  • CMD

It may also be a copy of the worm within a ZIP file (may be doubly ZIPped). In this case the extension is:

  • ZIP

The attachment may use the target email address name as the filename, in addition to the following:

  • README
  • INSTRUCTION
  • TRANSCRIPT
  • MAIL
  • LETTER
  • FILE
  • TEXT
  • ATTACHMENT
  • DOCUMENT
  • MESSAGE

The attachment may use a double extension, and there may be multiple spaces inserted between the file extensions to deceive users.

An example email message is shown below:

Email Address Harvesting
 Email addresses are harvested from the following file types on the victim machine:

  • DOC
  • TXT
  • HTM
  • HTML

The virus queries four search engines to harvest addresses from the results returned from such queries :

  • http://search.lycos.com
  • http://www.altavista.com
  • http://search.yahoo.com
  • http://www.google.com

The virus will also harvest email addresses from any Outlook window that is active on the victim machine.

Email Exclusions
 The virus avoids emailing itself to target domains containing any of the following strings:

  • mailer-d
  • spam
  • abuse
  • master
  • sample
  • accoun
  • privacycertific
  • bugs
  • listserv
  • submit
  • ntivi
  • support
  • admin
  • page
  • the.bat
  • gold-certs
  • ca
  • feste
  • not
  • help
  • foo
  • no
  • soft
  • site
  • me
  • you
  • rating
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • info
  • winrar
  • winzip
  • rarsoft
  • sf.net
  • sourceforge
  • ripe.
  • arin.
  • google
  • gnu.
  • gmail
  • seclist
  • secur
  • bar.
  • foo.com
  • trend
  • update
  • uslis
  • domain
  • example
  • sophos
  • yahoo
  • spersk
  • panda
  • hotmail
  • msn.
  • msdn.
  • microsoft
  • sarc.
  • syma
  • avp 

Downloading

This virus attempts to download the BackDoor-CEB.f trojan from the following list of websites:

  • http://www.newgenerationcomics.net/banner/(neutered).jpg
  • http://www.aartanridge.org.uk/YaBBImages/(neutered).gif
  • http://www.eastcoastchoons.co.uk/4play/(neutered).JPG
  • http://www.foxalpha.com/charte/(neutered).jpg
  • http://www.sundayriders.co.uk/images/(neutered).gif
  • http://www.foxalpha.com/charte/(neutered).jpg
  • http://www.hooping.org/archives/(neutered).JPG
  • http://www.ribaforada.net/banners/(neutered).gif
  • ics.net/banner/(neutered).jpg

Symptoms

  Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

  • C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

  • C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Run "JavaVM" = %WinDir% \JAVA.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Run "Services" = %WinDir% \SERVICES.EXE

The following Registry keys are also added:

  •  HKEY_CURRENT_USER\Software\Microsoft\Daemon
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

Various TCP Ports are opened on the victim machine by the SERVICES.EXE process to listen for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses.  When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

Method of Infection

This worm propagates via email constructing messages using its own SMTP engine. Email addresses are harvested from the victim machine, and the From: address of outgoing messages is spoofed.

Removal

All Users
Use the latest engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Intrushield
 An IntruShield User-Defined Signature (UDS) has been created to detect
this threat and is available for download at:
 
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected and
requires your to log into Service Portal before accessing it.

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.MyDoom.BA@mm (Symantec)
  • W32/MyDoom-BC (Sophos)

Characteristics

Characteristics -

-- Update February 25, 2005 --
 The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- 
-- Update 21st Feb 2005 --

Due to increased prevalence, the risk assessment of this threat has been raised to MEDIUM. The specified DAT files will be released early to address this threat.

If you think that you may be infected with W32/Mydoom.be@MM , and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note:
Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

--

This variant W32/Mydoom is similar to previous variants, it bears the following characteristics:

  • mass-mailing worm constructing messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address
  • downloads the BackDoor-CEB.f trojan

Mail Propagation

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:

  • mailer-daemon@(target_domain)
  • noreply@(target_domain)
  • postmaster@(target_domain)

The following display names are used in this case:

  • "Postmaster"
  • "Mail Administrator"
  • "Automatic Email Delivery Software"
  • "Post Office"
  • "The Post Office"
  • "Bounced mail"
  • "Returned mail"
  • "MAILER-DAEMON"
  • "Mail Delivery Subsystem"

Subject:
 The following subjects are used:

  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error

Body:
 The virus constructs messages from pools of strings it carries in its body.

Attachment:
The attachment may be an EXE file with one of the following extensions:

  • EXE
  • COM
  • SCR
  • PIF
  • BAT
  • CMD

It may also be a copy of the worm within a ZIP file (may be doubly ZIPped). In this case the extension is:

  • ZIP

The attachment may use the target email address name as the filename, in addition to the following:

  • README
  • INSTRUCTION
  • TRANSCRIPT
  • MAIL
  • LETTER
  • FILE
  • TEXT
  • ATTACHMENT
  • DOCUMENT
  • MESSAGE

The attachment may use a double extension, and there may be multiple spaces inserted between the file extensions to deceive users.

An example email message is shown below:

Email Address Harvesting
 Email addresses are harvested from the following file types on the victim machine:

  • DOC
  • TXT
  • HTM
  • HTML

The virus queries four search engines to harvest addresses from the results returned from such queries :

  • http://search.lycos.com
  • http://www.altavista.com
  • http://search.yahoo.com
  • http://www.google.com

The virus will also harvest email addresses from any Outlook window that is active on the victim machine.

Email Exclusions
 The virus avoids emailing itself to target domains containing any of the following strings:

  • mailer-d
  • spam
  • abuse
  • master
  • sample
  • accoun
  • privacycertific
  • bugs
  • listserv
  • submit
  • ntivi
  • support
  • admin
  • page
  • the.bat
  • gold-certs
  • ca
  • feste
  • not
  • help
  • foo
  • no
  • soft
  • site
  • me
  • you
  • rating
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • info
  • winrar
  • winzip
  • rarsoft
  • sf.net
  • sourceforge
  • ripe.
  • arin.
  • google
  • gnu.
  • gmail
  • seclist
  • secur
  • bar.
  • foo.com
  • trend
  • update
  • uslis
  • domain
  • example
  • sophos
  • yahoo
  • spersk
  • panda
  • hotmail
  • msn.
  • msdn.
  • microsoft
  • sarc.
  • syma
  • avp 

Downloading

This virus attempts to download the BackDoor-CEB.f trojan from the following list of websites:

  • http://www.newgenerationcomics.net/banner/(neutered).jpg
  • http://www.aartanridge.org.uk/YaBBImages/(neutered).gif
  • http://www.eastcoastchoons.co.uk/4play/(neutered).JPG
  • http://www.foxalpha.com/charte/(neutered).jpg
  • http://www.sundayriders.co.uk/images/(neutered).gif
  • http://www.foxalpha.com/charte/(neutered).jpg
  • http://www.hooping.org/archives/(neutered).JPG
  • http://www.ribaforada.net/banners/(neutered).gif
  • ics.net/banner/(neutered).jpg

Symptoms

Symptoms -

  Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

  • C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

  • C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Run "JavaVM" = %WinDir% \JAVA.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Run "Services" = %WinDir% \SERVICES.EXE

The following Registry keys are also added:

  •  HKEY_CURRENT_USER\Software\Microsoft\Daemon
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

Various TCP Ports are opened on the victim machine by the SERVICES.EXE process to listen for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses.  When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

Method of Infection

Method of Infection -

This worm propagates via email constructing messages using its own SMTP engine. Email addresses are harvested from the victim machine, and the From: address of outgoing messages is spoofed.

Removal -

Removal -

All Users
Use the latest engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Intrushield
 An IntruShield User-Defined Signature (UDS) has been created to detect
this threat and is available for download at:
 
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected and
requires your to log into Service Portal before accessing it.

Variants

Variants -

    N/A