<<< Date Index >>>     <<< Thread Index >>>

US CERT Technical Alert TA04-028A MyDoom.B Rapidly Spreading




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


MyDoom.B Rapidly Spreading

   Mydoom.B is a new variant of the Mydoom worm and is about 29,184
   bytes. This variant attempts to perform a Distributed Denial of
   Service (DDoS) attack against Microsoft.com. Details regarding this
   new worm are still emerging, but it has been validated as spreading in
   the wild. Facts about the worm will be further qualified with follow
   up reports following this initial analysis.

   For the latest information about this worm from US-CERT, readers are
   encouraged to visit http://www.us-cert.gov/cas/techalerts/TA04-028A.html.

   E-mails sent out by Mydoom.B are highly randomized. The From address
   may be spoofed to include one of the following domains: aol.com,
   msn.com, yahoo.com and hotmail.com. A randomized string value may then
   be combined with these to generate new e-mails. This may result in
   overload e-mail servers with many false addresses and auto-replies
   associated with such traffic.

   The subject is randomized to include one of the following
   following:

     * Delivery Error
     * hello
     * Error
     * Mail Delivery System
     * Mail Transaction Failed
     * Returned mail
     * Server Report
     * Status
     * Unable to deliver the message

   The subject may also contain randomized data as seen in a recent live
   sample: "RE: I still love you fLctv".

   The message body is also randomized to include one of the
   following:

     * RANDOMIZED CHARACTERS
     * test
     * The message cannot be represented in 7-bit ASCII encoding and has
       been sent as a binary attachment.
     * sendmail daemon reported: Error #804 occured during SMTP session.
       Partial message has been received.
     * The message contains Unicode characters and has been sent as a
       binary attachment.
     * The message contains MIME-encoded graphics and has been sent as a
       binary attachment.
     * Mail transaction failed. Partial message is available.

   The attachments have a randomized filename selected from one of the
   following string values:

     * body
     * doc
     * text
     * document
     * data
     * file
     * readme
     * message

   The randomized string value is then combined with a randomized
   extension: .exe, .bat, .scr, .cmd or .pif. If the malicious attachment
   is executed, it then opens notepad.exe and displays garbled data
   (binary).

   Once executed, the worm attempts to create the following files in the
   Windows System directory: explorer.exe and dtfmon.dll. The Windows
   registry is then modified to run the worm in memory upon Windows
   startup:

     HKLM\Software\Microsoft\Windows\CurrentVersion\Run
     Explorer=C:WINDOWS SYSTEM DIRECTORY\explorer.exe

   The DLL component is associated with a backdoor feature of this worm.
   It is likely that this Trojan worms like the one in Mydoom.A. It scans
   through a range of TCP addresses looking for inbound TCP traffic.
   Inbound TCP traffic can be used to configure the infected computer as
   a proxy computer or to install code of choice on the infected
   computer. More importantly, attackers are already working on tools to
   hijack Mydoom infected computers to install code of choice.

   The DDoS attack of Mydoom.B is against www.microsoft.com. There is
   information claiming that it may also be directed at sco.com, but this
   is unsubstantiated at this time. It appears that the more credible
   data is that it only performs a DDoS attack against www.microsoft.com,
   though a previosu version of the virus is confirmed to attack SCO.

   To spread over the KaZaA P2P network, Mydoom.B creates copies of
   itself in the KaZaA shared directory with randomized filenames.
   Filenames include:

     * attackXP-1.26
     * BlackIce_Firewall_Enterpriseactivation_crack
     * MS04-01_hotfix
     * NessusScan_pro
     * icq2004-final
     * winamp5
     * xsharez_scanner
     * zapSetup_40_148

   A randomized extension is then added to the filename selected above,
   being .exe, .scr, .pif or .bat.

   Mydoom.B attempts to harvest e-mails from Temporary Internet files as
   well as via randomized e-mails aforementioned. It does not include any
   e-mails containing the following strings: abuse, accoun, certific,
   listserv, ntivi, icrosoft, admin, page, the.bat, gold-certs, feste,
   submit, help, service, privacy, somebody, soft, contact, site, rating,
   bugs, your, someone, anyone, nothing, nobody, noone, webmaster,
   postmaster, support, samples, info, root, ruslis, nodomai, mydomai,
   example, inpris, borlan, nai., sopho, foo., .mil, gov., .gov, panda,
   icrosof, syma, kasper, mozilla, utgers.ed, tanford.e, acketst, secur,
   isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, iana, usenet,
   fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix,
   berkeley and spam.

   Mydoom.B also opens TCP port 10080. The worm contains the following
   string: "sync-1.01; andy; I'm just doing my job, nothing personal,
   sorry".

   Alias: Mydoom, Novarg, Mydoom.B

   Sources:

     F-Secure Corp. (http://www.f-secure.com/v-descs/mydoom_b.shtml),
     Jan. 28, 2004

     Bit Defender
     (http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=186), 
     Jan. 28, 2004

     iDEFENSE Intelligence Operations, Jan. 28, 2004 Sensible Security
     Solutions Inc. (http://www.sss.ca/), Jan. 28, 2004

   According to iDEFENSE, this new variant of Mydoom appears to have
   different MIMI data for malicious e-mails. The content type appears to
   be plain text and includes a ZIP extension. Mydoom.A had a content
   type of application/octet-stream and multipart/mixed data. It is
   likely that this newest variant of Mydoom will become very widespread
   in the wild. The first variant had well over 3M interceptions by just
   two sources in the first 18 hours of the outbreak.

   Look for questionable files about 29,184 bytes. Look for notepad.exe
   to be opened, displaying binary data (garbled text). Also look for the
   Windows registry created by the worm.

   Recovery: Remove all files and the Windows registry key modifications
   associated with this malicious code threat. Restore corrupted or
   damaged files with clean backup copies.

   Workaround: Configure e-mail servers and workstations to block file
   types commonly used by malicious code to spread to other computers.
   Block ZIP and executable extensions on the gateway and groupware
   level. Also monitor traffic on the network and block ports associated
   with Mydoom, especially inbound TCP ports for the backdoor Trojan
   component and the outbound TCP 10080 port data. Administrators may
   also find value in monitoring traffic associated with the DDoS
   component. Carefully manage all new files, scanning them with updated
   anti-virus software using heuristics prior to use.

   Vendor Fix: Anti-virus vendors will likely release updated signature
   files to protect against this malicious code in the near future. Some
   anti-virus applications may detect this malicious code heuristically.

     Name of Malicious Code: Mydoom.B
     Aliases:
     Mydoom.B
     Mydoom
     Novarg
     Size in Bytes: 29184
     Subjects: RE: I still love you fLctv
     Body: Error 551: We are sorry your UTF-8 encoding is not supported
     by the server, so the text was automatically zipped and attached to
     this message.
     Attachments: message.zip

   This document was developed based on material contributed by iDEFENSE.
   Our thanks for their contribution.

                       Last updated January 28, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAGEufXlvNRxAkFWARAjEOAJ92cfCtcUVX+/6CGoRwGj7mIbxhzQCg0mdJ
/ip1ThurA7opfYb0JUET2UI=
=j+iB
-----END PGP SIGNATURE-----