Results 1 to 3 of 3
  1. #1
    Senior Member tang_man_montreal's Avatar
    Join Date
    Jun 2003

    Mydoom.B virus... this one is worse!!

    Virus Characteristics:
    -- Update 28th January 2004 --
    This threat is considered to be a Low-Profiled risk due to media attention at:,4149,1472436,00.asp

    This is a variant of W32/Mydoom@MM , with the following characteristics:

    contains its own SMTP engine to construct outgoing messages
    contains a peer to peer propagation routine
    contains a Denial of Service payload
    overwrites the local hosts file on the victim machine
    contains a backdoor component
    Mail Propagation

    The virus arrives in an email message as follows:

    From: (Spoofed email sender)
    Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

    Subject: (Varies, such as)

    Returned mail
    Delivery Error
    Server Report
    Mail Transaction Failed
    Mail Delivery System
    Body: (Varies, such as)

    sendmail daemon reported:
    Error #804 occured during SMTP session. Partial message has been received.
    Mail transaction failed. Partial message is available.
    The message contains Unicode characters and has been sent as a binary attachment.
    The message contains MIME-encoded graphics and has been sent as a binary attachment.
    The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
    Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (29,184 bytes)

    examples (common names, but can be random)
    In the case of two file extensions, multiple spaces may be inserted as well, for example:

    document.htm (many spaces) .pif
    The icon used by the file tries to make it appear as if the attachment is a text file:

    When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as explorer.exe (note: there is a valid explorer.exe file in the WINDOWS directory)

    (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

    It creates the following registry entry to hook Windows startup:

    CurrentVersion\Run "Explorer" = %SysDir%\explorer.exe
    The virus uses a DLL that it creates in the Windows System directory:

    %SysDir%\ctfmon.dll (6,144 bytes)
    This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\ctfmon.dll
    Redirection To Prevent Access

    The worm overwrites the local hosts file to prevent infected computers from accessing specific sites (listed below). AVERT recommends updating to the 4320 dat files as soon as possible, so that your computer may continue to access NAI and other important sites for future updates.
    Detection of the dropped hosts file is not included in the 4320 DATs. Detection is included in the EXTRA.DAT provided in this description (see below).

    Peer To Peer Propagation
    The worm copies itself to the KaZaa Shared Directory with the following filenames:

    Denial of Service
    The worm contains a denial of service payload (date triggered) against the following domains:
    Remote Access Component
    The worm (this functionality is in the dropped DLL) opens a connection on the following TCP ports:

    1080 (if fail then next)
    The worm can accept specially crafted TCP transmissions.

    On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it. Then the temporary file is deleted.
    On receipt of another kind it can relay TCP packets thus providing IP spoofing capabilities (possibly to facilitate SPAM distribution)
    I am Homer of BORG... Prepare to be..OOOO!! DONUT!!!!!!

  2. #2
    Senior Member tiffany's Avatar
    Join Date
    Sep 2003
    Thanks, that's great extra info on it.
    Norton has an auto-update for it out already, and you can check your system for free on their site and remove it.
    "The significant problems we face cannot be solved at the same level of thinking we were at when we created them."
    - Albert Einstein (1879-1955)

  3. #3
    Senior Member tang_man_montreal's Avatar
    Join Date
    Jun 2003
    Network Associates (McAfee Antivirus) also has a removal tool you can download called STINGER.

    It is available here:
    I am Homer of BORG... Prepare to be..OOOO!! DONUT!!!!!!

Similar Threads

  1. Britney gave me a virus
    By reefsurfer in forum Off Topic
    Replies: 43
    Last Post: 10-13-2006, 08:48 PM
  2. Virus/Spyware/Adware Help
    By Kenzy in forum Off Topic
    Replies: 11
    Last Post: 07-08-2005, 09:42 PM
  3. Videotron users - WARNING VIRUS!!!
    By tang_man_montreal in forum Off Topic
    Replies: 6
    Last Post: 03-07-2004, 05:03 PM
  4. Mydoom Computer virus... Please protect yourselves
    By tang_man_montreal in forum Off Topic
    Replies: 1
    Last Post: 01-27-2004, 03:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts