HomeBlogsChristoph C. Cemper's blog
Security

Variant of MyDoom.B ? - detailed Removal Description for MyDoom.B

<< Sco.Com = weapon of mass destruction | What You Should Know About the Mydoom Worm Variants: Mydoom.A and Mydoom.B >>
Sat, 01/31/2004 - 17:47 — Christoph C. Cemper

F-Secure Computer Virus Information Pages on Mydoom.B proide some more usefull info on hunting down MyDoom.B

The worm will perform a DDoS attack against www.microsoft.com on 3rd of February 2004 at 13:09:18 (UTC) and www.sco.com on 1st of February 2004 at 16:09:18 (UTC).

The DDoS attack launches 8 threads against www.sco.com every 1024 milliseconds.

The other DDoS attack launches 14 threads against www.microsoft.com every 1024 milliseconds.

The hosts file in the infected machines will be modified so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 0.0.0.0, rendering them unaccessible.

Status:

Fortunately my hosts file was write-protected.

But it still prevented the virus scanner from updating.

the Explorer.Exe was not found, but CTFMON.EXE was on my PC. Did I have a variant of MyDoom.B ???

Outlook didnt want to send/receive mails anymore…

And the whole system probably sent out millions of mails or so… it sucks big times…

ok…

following text is © by f-secure and is replicated here for the reason to avoid it being unavailable because of some DDOS attack against their server




NAME:Mydoom.B
ALIAS:Novarg
SIZE:29,184

Summary

A new variant if Mydoom email worm – Mydoom.B, was found

spreading on January 28th, 2004. Mydoom.B

attacks both www.sco.com and www.microsoft.com and prevents

infected machines from accessing anti-virus sites, including

www.f-secure.com.

Disinfection

Special Disinfection Tool

F-Secure has developed a special disinfection tool for this worm.

The tool will detect and remove an active Mydoom infection from

the computer.

The Mydoom removal tool can be downloaded in a ZIP file from:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.zip

http://www.f-secure.com/tools/f-mydoom.zip

The unpacked version is available from:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.exe

http://www.f-secure.com/tools/f-mydoom.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.txt

http://www.f-secure.com/tools/f-mydoom.txt

Manual Disinfection

Manual disinfection of Mydoom consists of the following steps:

1, Delete the registry value and restart the computer:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer]



 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer]



 [HKCR\CLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

2, Delete the worm from the Windows System Directory:

 SysDir\explorer.exe

and its backdoor component from:

 SysDir\ctfmon.dll

3, To enable access again to the sites blocked by Mydoom.B, it's necessary

to locate the file "hosts" and delete all the lines referring to Anti-Virus

vendors and other commercial sites. The lines added by the worm are listed

later in this page.


Back to the Top


Detailed Description

The worm uses the same scrambling technique as the previous variant, ROT13,

and shares most of its features.

Once run it will look for the previous variant, Mydoom.A, and will terminate

its process and delete "shimgapi.dll".

It will copy itself to the following location:

 sysDir\explorer.exe

And will add the following registry entries:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 &quot;Explorer&quot; = sysdir\explorer.exe



 or, if it fails:



 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 &quot;Explorer&quot; = sysdir\explorer.exe

It drops its backdoor component, encoded in its body and packed with UPX as:

 sysdir\ctfmon.dll

This is loaded under Explorer from this registry key:

 [HKEY_CLASSES_ROOT\CLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

The worm will create a mutex with the name "sync-v1.01__ipcmtx0" to ensure

only one instance of itself is running at the same time.

The worm contains this message, which is never displayed:

 (sync-1.01; andy; I'm just doing my job, nothing personal, sorry)

Peer-to-Peer Spreading

The following filenames are used in this variant when copying itself to Kazaa

 NessusScan_pro
 attackXP-1.26
 winamp5
 MS04-01_hotfix
 zapSetup_40_148
 BlackIce_Firewall_Enterpriseactivation_crack
 xsharez_scanner
 icq2004-final

And extensions chosen from:

 .bat
 .exe
 .scr
 .pif

Mail Propagation

As in the previous variant, it collects addresses where to send itself from

Windows' Address Book and from files with extension:

 wab
 pl
 adb
 dbx
 asp
 php
 sht
 htm
 txt

It will try to avoid anti-spam tricks used by people to obfuscate e-mails

addresses in webpages.

E-Mail messages sent by the worm have the following characteristics:

Subjects can be any of the following:

 Status
 hi
 Delivery Error
 Mail Delivery System
 hello
 Error
 Server Report
 Returned mail

Body is one of the following:

   The message cannot be represented in 7-bit ASCII encoding and has been sent
   as a binary attachment.



   sendmail daemon reported:
   Error #804 occured during SMTP session. Partial message has
   been received.



   The message contains Unicode characters and has been sent as a binary attachment.



   The message contains MIME-encoded graphics and has been sent as a binary attachment.



   Mail transaction failed. Partial message is available.

Attachments are composed combining the following names:

 document
 readme
 doc
 text
 file
 data
 message
 body

with the following extensions:

 pif
 scr
 exe
 cmd
 bat

Once an address where to send itself is chosen (from the list generated when

harvesting addresses from the computer). The worm will also send e-mails to

addresses in the same domain but to accounts like:

 john
 alex
 michael
 james
 mike
 kevin
 david
 george
 sam
 andrew
 jose
 leo
 maria
 jim
 brian
 serg
 mary
 ray
 tom
 peter
 robert
 bob
 jane
 joe
 dan
 dave
 matt
 steve
 smith
 stan
 bill
 bob
 jack
 fred
 ted
 adam
 brent
 alice
 anna
 brenda
 claudia
 debby
 helen
 jerry
 jimmy
 julie
 linda
 sandra

It will avoid sending itself to e-mail addresses containing the following

account names:

 root
 info
 samples
 support
 postmaster
 webmaster
 noone
 nobody
 nothing
 anyone
 someone
 your
 you
 me
 bugs
 rating
 site
 contact
 soft
 no
 somebody
 privacy
 service
 help
 not
 submit
 feste
 ca
 gold-certs
 the.bat
 page

Deadline

The worm will exit immediately when run after the date: 1st of March 2004 at

03:18:42 (UTC)

Backdoor

The worm has the ability of sending itself to already infected computers. It

will do so by first finding them through a network scan, where IP addresses

will be randomly forged (skipping some invalid ranges). Then a connection

attempt is made to port 3127 (opened by previous variant's backdoor), if the

machine is found infected then the worm transfers itself and will be executed

immediately, thereby updating the infected computers to the new version without

the need for the user to receive the worm through e-mail.

Additionally the worm will request the infected computer's hostname through

gethostbyname(), resolve its IP and scan for other infected computers in the same

range.

Payload

The worm will perform a DDoS attack against www.microsoft.com on 3rd of

February 2004 at 13:09:18 (UTC) and www.sco.com on 1st of February 2004 at

16:09:18 (UTC).

The DDoS attack launches 8 threads against www.sco.com every 1024 milliseconds.

The other DDoS attack launches 14 threads against www.microsoft.com every 1024 milliseconds.

The hosts file in the infected machines will be modified so that domains

belonging to Anti-Virus companies and other commercial sites are resolved to

the IP address 0.0.0.0, rendering them unaccessible.

The full contents of this file follow (The file is encrypted within the worms code):

 0.0.0.0         engine.awaps.net awaps.net www.awaps.net ad.doubleclick.net
 0.0.0.0         spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
 0.0.0.0         media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net
 0.0.0.0         ads.fastclick.net banner.fastclick.net banners.fastclick.net
 0.0.0.0         www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
 0.0.0.0         ftp.f-secure.com securityresponse.symantec.com
 0.0.0.0         www.symantec.com symantec.com service1.symantec.com
 0.0.0.0         liveupdate.symantec.com update.symantec.com updates.symantec.com
 0.0.0.0         support.microsoft.com downloads.microsoft.com
 0.0.0.0         download.microsoft.com windowsupdate.microsoft.com
 0.0.0.0         office.microsoft.com msdn.microsoft.com go.microsoft.com
 0.0.0.0         nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com
 0.0.0.0         networkassociates.com avp.ru www.avp.ru www.kaspersky.ru
 0.0.0.0         www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
 0.0.0.0         avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
 0.0.0.0         download.mcafee.com mast.mcafee.com www.trendmicro.com
 0.0.0.0         www3.ca.com ca.com www.ca.com www.my-etrust.com
 0.0.0.0         my-etrust.com ar.atwola.com phx.corporate-ir.net

An additional line is added before the the date when attack against Microsoft begins:

0.0.0.0 www.microsoft.com

Which will make the site unaccessible. The 3rd of February the entry will be

removed so the attack can be performed, which will probably cause some

difficulties reaching it, if the DDoS is successful.

The modifications in the hosts file are probably targeted so that customers of

the most widespread Anti-Virus products can't download new updates to disinfect

the worm.

Mydoom.B Structure.

The following picture briefly shows the structure of the Mydoom.B worm,

which can be appreciated in full detail in the PDF graph available from:

http://www.f-secure.com/virus-info/v-pics/mydoom-b.pdf


Back to the Top


Detection

Detection in F-Secure Anti-Virus was published on January 28th, 2004

at 15:44 GMT in update:

[FSAV_Database_Version]

Version=2004-01-28_01


Back to the Top

Description:

Katrin Tocheva, Mikko Hypponen, Ero Carrera and Istvan Visegradi, January 28th, 2004

Technical details:

Ero Carrera

 

 



  Description Index

  


  Virus Info

 

Virus News

Virus Descriptions

Virus Statistics

Virus Digest

Hoax Descriptions

Virus Screen Shots

Virus Glossary

Avoiding Computer Worms

Viruses in the Wild

name=“image9” src=”/images/nav_privacy.gif” alt=“Privacy Policy”

width=“136” height=“14” border=“0”>

name=“image10” src=”/images/nav_legal.gif” alt=“Legal Notices”

width=“136” height=“14” border=“0”>

name=“image11” src=”/images/nav_contact2.gif” alt=“Contact Us”

width=“136” height=“16” border=“0”>

Average rating
 
 
 
 
 
(0 votes)

Similar entries