|
Top 10 malware reported to Sophos in January 2004
W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from address
books and from files with the following extensions: WAB, TXT, HTM, SHT,
PHP,
ASP, DBX, TBB, ADB and PL.
W32/MyDoom-A creates a file called Message in the temp folder and runs
Notepad to display the contents, which displays random characters.
W32/MyDoom-A 'spoofs', using randomly chosen email addresses in the
"To:" and "From:" fields as well as a randomly chosen subject line. The
emails distributing this worm have the following characteristics.
Subject lines
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]
Message texts
test
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
Attachment filenames
body
data
doc
document
file
message
readme
test
[random collection of characters]
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or
ZIP.
W32/MyDoom-A is programmed to not forward itself via email if the
recipient email address satisfies various conditions:
 | The worm will not send itself to email addresses belonging to
domains containing the following strings: acketst, arin., avp,
berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, .gov,
gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o, isi.e,
kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai,
panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma,
tanford.e, unix, usenet, utgers.ed
As a consequence the worm does not forward itself to a number of
email domains, including several anti-virus companies and Microsoft.
|
| The worm will not send itself to email addresses in which the
username contains the following strings: abuse, anyone, bugs, ca,
contact, feste, gold-certs, help, info, me, no, noone, nobody, not,
nothing, page, postmaster, privacy, rating, root, samples, secur,
service, site, spm, soft, somebody, someone, submit, the.bat,
webmaster, you, your, www
|
| The worm will not send itself to email addresses which contain the
the following strings: admin, accoun, bsd, certific, google,
icrosoft, linux, listserv, ntivi, spam, support, unix
|
The worm can also copy itself into the shared folder of the KaZaA
peer-to-peer application with one of the following filenames and a PIF,
EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5
Further reading:
MyDoom
worm spreads widely across internet, Sophos warns users to be wary of
viral email and hacker attack
Recovery
Advanced
This section is for technical experts who want to know more.
W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from address
books and from files with the following extensions: WAB, TXT, HTM, SHT,
PHP,
ASP, DBX, TBB, ADB and PL.
W32/MyDoom-A creates a file called Message in the temp folder and
runs Notepad to display the contents, which displays random characters.
W32/MyDoom-A 'spoofs', using randomly chosen email addresses in the
"To:" and "From:" fields as well as a randomly chosen subject line. The
emails distributing this worm have the following characteristics.
Subject lines
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]
Message texts
test
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
Attachment filenames
body
data
doc
document
file
message
readme
test
[random collection of characters]
Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or
ZIP.
W32/MyDoom-A is programmed to not forward itself via email if the
recipient email address satisfies various conditions:
| The worm will not send itself to email addresses belonging to
domains containing the following strings: acketst, arin., avp,
berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, .gov,
gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o, isi.e,
kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai,
panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma,
tanford.e, unix, usenet, utgers.ed
As a consequence the worm does not forward itself to a number of
email domains, including several anti-virus companies and Microsoft.
|
| The worm will not send itself to email addresses in which the
username contains the following strings: abuse, anyone, bugs, ca,
contact, feste, gold-certs, help, info, me, no, noone, nobody, not,
nothing, page, postmaster, privacy, rating, root, samples, secur,
service, site, spm, soft, somebody, someone, submit, the.bat,
webmaster, you, your, www
|
| The worm will not send itself to email addresses which contain the
the following strings: admin, accoun, bsd, certific, google,
icrosoft, linux, listserv, ntivi, spam, support, unix
|
The worm can also copy itself into the shared folder of the KaZaA
peer-to-peer application with one of the following filenames and a PIF,
EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5
W32/MyDoom-A creates a file called taskmon.exe in the system or temp
folder and adds the following registry entry to run this file every time
Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon =
taskmon.exe
Please note that on Windows 95/98/Me, there is a legitimate file
called taskmon.exe in the Windows folder.
W32/MyDoom-A also drops a file named shimgapi.dll to the temp or
system folder. This is a backdoor program loaded by the worm that allows
outsiders to connect to TCP port 3127. The DLL adds the following
registry entry so that it is run on startup:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= "<location of dll>"
The worm will also add the following entries to the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
Between the 1st and 12th February 2004, the worm will attempt a
denial-of-service attempt to www.sco.com, sending numerous GET requests
to the web server.
After the 12th February W32/MyDoom-A will no longer spread, due to an
expiry date set in the code. It will, however, still run the backdoor
component.
Further reading:
MyDoom
worm spreads widely across internet, Sophos warns users to be wary of
viral email and hacker attack
|
Summary
Recovery