Website Design in Aberdeen, Scotland.
Development,
Content Management and Web Hosting
Another worm virus doing the rounds
July 8, 2005
Over the last couple of days a virus identified by Trend Micro as WORM_MYDOOM.M has been doing the rounds and we've had one or two worried customers asking about it.
They've received an email with the following text :
----------------------------------------------------------------------------------------------------------------------------------------------------
Dear xxxx,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
Network Administrator Team
----------------------------------------------------------------------------------------------------------------------------------------------------
The note comes with an attachment which is the virus. Don't open it and just delete the email.
It's most definately not something we'd send to our customers so no need to worry!
Detailed below is an overview of what the virus does.
On execution, this mailing worm program drops a copy of itself as JAVA.EXE in the Windows folder.
Then, it creates the following autorun registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
JavaVM = "%Windows%\java.exe"
Services = "%Windows%\services.exe"
(Note: %Windows% refers to the Windows folder, which is usually C:\Windows or C:\WINNT.)
It also creates the entry ID in the following registry key as infection marker:
HKEY_LOCAL_MACHINE\Software\Microsoft\Daemon
Propagation via Email
This worm propagates via email using SMTP (Simple Mail Transfer Protocol). First, it checks for Internet connection and then connects to the local DNS server. It queries for its mail exchanger that matches the domain name of the target recipient’s address. Once found, it uses this as SMTP server.
It then harvests target email addresses from the Windows Address Book (WAB). It also gathers addresses from the Temporary Internet Files folder and from files with the following extensions found in fixed drives:
- hlp
- tx*
- asp
- ht*
- sht*
- adb
- dbx
- wab
When it finds an email address, it gets the domain name of that email address and queries the following search engines to search for email addresses in the domain:
- http://search.lycos.com
- http://www.altavista.com
- http://search.yahoo.com
- http://www.google.com
It spoofs the sender's name (FROM field) of the email it sends, both in the email header and the envelope.
The details of the email it sends are as follows:
Subject: (any of the following)
• The original message was included as attachment
• The/Your m/Message could not be delivered
• hello
• hi error
• status
• test
• report
• delivery failed
• Message could not be delivered
• Mail System Error - Returned Mail
• Delivery reports about your e-mail
• Returned mail: see transcript for details
• Returned mail: Data format error
The email subject may also be the email address of the intended recipient, e.g. johndoe@somewhere.com.
This worm generates the message body using strings that are harvested from the user’s system.
An example of the email message body is as follows:
Dear user winnt@ mydomain.com,
Your e-mail account was used to send a huge amount of unsolicited e-mail messages during the recent week.
Most likely your computer had been infected by a recent virus and now runs a hidden proxy server.
Please follow our instruction in the attached file in order to keep your computer safe.
Virtually yours,
The mydomain.com support team.
Attachment: (any of the following)
• .ZIP
• .COM
• .SCR
• .EXE
• .PIF
• .BAT
Note: In some cases, the base name of the attachment can be a string taken from the address of the intended recipient. For example, win2k@mydomain.com. The attachment can then be any of the following:
• 2k@mydomain.zip
• mydomain.com
There are cases when this worm uses two extension names, which is a combination of the previous extensions given, plus the following extension names:
• DOC
• TXT
• HTM
• HTML
• CMD
The following are screenshots of this worm's sample email messages:
This worm skips email addresses with domain names that contain any of these strings:
- arin.
- avp
- bar.
- domain
- example
- foo.com
- gmail
- gnu.
- hotmail
- microsoft
- msdn.
- msn.
- panda
- rarsoft
- ripe.
- sarc.
- seclist
- secur
- sf.net
- sophos
- sourceforge
- spersk
- syma
- trend
- update
- uslis
- winrar
- winzip
- yahoo
It also skips email addresses with the following account names:
- anyone
- ca
- feste
- foo
- gold-certs
- help
- info
- me
- no
- nobody
- noone
- not
- nothing
- page
- rating
- root
- site
- soft
- someone
- the.bat
- you
- your
It skips account names that contain any of these strings:
- admin
- support
- ntivi
- submit
- listserv
- bugs
- secur
- privacycertific
- accoun
- sample
- master
- abuse
- spam
- mailer-d
Backdoor Capabilities
This worm drops a backdoor component named SERVICES.EXE in the Windows folder. This component opens TCP port 1034, where it listens for connections from a remote malicious user.
Trend Micro detects SERVICES.EXE as WORM_MYDOOM.M.
Other Details
This worm also creates a log file named ZINCITE.LOG in the Windows Temporary folder, which is assumed to contain some data used by the malware.
It also creates a mutex with a name that is derived from the host name of the system where it has executed. It adds the string root and repeats the combination of strings several times.
During analysis, the worm generates the following mutex name:
- winxprootwinxprootwwinxprootwinxprootww
Comments (0)
No comments.
