Results 1 to 3 of 3
  1. #1
    Senior Member tang_man_montreal's Avatar
    Join Date
    Jun 2003
    Posts
    5,821

    Mydoom.B virus... this one is worse!!

    http://vil.nai.com/vil/content/v_100988.htm

    Virus Characteristics:
    -- Update 28th January 2004 --
    This threat is considered to be a Low-Profiled risk due to media attention at: http://www.eweek.com/article2/0,4149,1472436,00.asp

    This is a variant of W32/Mydoom@MM , with the following characteristics:

    contains its own SMTP engine to construct outgoing messages
    contains a peer to peer propagation routine
    contains a Denial of Service payload
    overwrites the local hosts file on the victim machine
    contains a backdoor component
    Mail Propagation

    The virus arrives in an email message as follows:

    From: (Spoofed email sender)
    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    Subject: (Varies, such as)

    Returned mail
    Delivery Error
    Status
    Server Report
    Mail Transaction Failed
    Mail Delivery System
    hello
    hi
    Body: (Varies, such as)

    sendmail daemon reported:
    Error #804 occured during SMTP session. Partial message has been received.
    Mail transaction failed. Partial message is available.
    The message contains Unicode characters and has been sent as a binary attachment.
    The message contains MIME-encoded graphics and has been sent as a binary attachment.
    The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
    Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (29,184 bytes)

    examples (common names, but can be random)
    doc.bat
    document.zip
    message.zip
    readme.zip
    text.pif
    hello.cmd
    body.scr
    test.htm.pif
    data.txt.exe
    file.scr
    In the case of two file extensions, multiple spaces may be inserted as well, for example:

    document.htm (many spaces) .pif
    The icon used by the file tries to make it appear as if the attachment is a text file:




    When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as explorer.exe (note: there is a valid explorer.exe file in the WINDOWS directory)

    %SysDir%\explorer.exe
    (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)


    It creates the following registry entry to hook Windows startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "Explorer" = %SysDir%\explorer.exe
    The virus uses a DLL that it creates in the Windows System directory:

    %SysDir%\ctfmon.dll (6,144 bytes)
    This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\ctfmon.dll
    Redirection To Prevent Access

    The worm overwrites the local hosts file to prevent infected computers from accessing specific sites (listed below). AVERT recommends updating to the 4320 dat files as soon as possible, so that your computer may continue to access NAI and other important sites for future updates.

    ad.doubleclick.net
    ad.fastclick.net
    ads.fastclick.net
    ar.atwola.com
    atdmt.com
    avp.ch
    avp.com
    avp.ru
    awaps.net
    banner.fastclick.net
    banners.fastclick.net
    ca.com
    click.atdmt.com
    clicks.atdmt.com
    dispatch.mcafee.com
    download.mcafee.com
    download.microsoft.com
    downloads.microsoft.com
    engine.awaps.net
    fastclick.net
    f-secure.com
    ftp.f-secure.com
    ftp.sophos.com
    go.microsoft.com
    liveupdate.symantec.com
    mast.mcafee.com
    mcafee.com
    media.fastclick.net
    msdn.microsoft.com
    my-etrust.com
    nai.com
    networkassociates.com
    office.microsoft.com
    phx.corporate-ir.net
    secure.nai.com
    securityresponse.symantec.com
    service1.symantec.com
    sophos.com
    spd.atdmt.com
    support.microsoft.com
    symantec.com
    update.symantec.com
    updates.symantec.com
    us.mcafee.com
    vil.nai.com
    viruslist.ru
    windowsupdate.microsoft.com
    www.avp.ch
    www.avp.com
    www.avp.ru
    www.awaps.net
    www.ca.com
    www.fastclick.net
    www.f-secure.com
    www.kaspersky.ru
    www.mcafee.com
    www.microsoft.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.sophos.com
    www.symantec.com
    www.trendmicro.com
    www.viruslist.ru
    www3.ca.com
    Detection of the dropped hosts file is not included in the 4320 DATs. Detection is included in the EXTRA.DAT provided in this description (see below).

    Peer To Peer Propagation
    The worm copies itself to the KaZaa Shared Directory with the following filenames:

    xsharez_scanner
    BlackIce_Firewall_Enterpriseactivation_crack
    zapSetup_95_693
    MS59-56_hotfix
    winamp0
    NessusScan_pro
    attackXP-6.71
    Denial of Service
    The worm contains a denial of service payload (date triggered) against the following domains:

    www.sco.com
    www.microsoft.com
    Remote Access Component
    The worm (this functionality is in the dropped DLL) opens a connection on the following TCP ports:

    1080 (if fail then next)
    3128
    80
    8080
    10080
    The worm can accept specially crafted TCP transmissions.

    On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it. Then the temporary file is deleted.
    On receipt of another kind it can relay TCP packets thus providing IP spoofing capabilities (possibly to facilitate SPAM distribution)
    I am Homer of BORG... Prepare to be..OOOO!! DONUT!!!!!!

  2. #2
    Senior Member tiffany's Avatar
    Join Date
    Sep 2003
    Posts
    860
    Thanks, that's great extra info on it.
    Norton has an auto-update for it out already, and you can check your system for free on their site and remove it.
    "The significant problems we face cannot be solved at the same level of thinking we were at when we created them."
    - Albert Einstein (1879-1955)

  3. #3
    Senior Member tang_man_montreal's Avatar
    Join Date
    Jun 2003
    Posts
    5,821
    Network Associates (McAfee Antivirus) also has a removal tool you can download called STINGER.

    It is available here:

    http://vil.nai.com/vil/stinger
    I am Homer of BORG... Prepare to be..OOOO!! DONUT!!!!!!

Similar Threads

  1. Britney gave me a virus
    By reefsurfer in forum Off Topic
    Replies: 43
    Last Post: 10-13-2006, 08:48 PM
  2. Virus/Spyware/Adware Help
    By Kenzy in forum Off Topic
    Replies: 11
    Last Post: 07-08-2005, 09:42 PM
  3. Videotron users - WARNING VIRUS!!!
    By tang_man_montreal in forum Off Topic
    Replies: 6
    Last Post: 03-07-2004, 05:03 PM
  4. Mydoom Computer virus... Please protect yourselves
    By tang_man_montreal in forum Off Topic
    Replies: 1
    Last Post: 01-27-2004, 03:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •