W32.Mydoom.M@mm
worm
Note: Norton Antivirus
2003 can remove this virus
automatically. You can also
download a mydoom
removal tool.
| W32.Mydoom.M@mm
is a mass-mailing worm that drops and executes a
backdoor, detected as Backdoor.Zincite.A,
that listens on TCP port 1034. The worm uses its
own SMTP engine to send itself to email addresses
it finds on the infected computer.
The email contains a spoofed From address, and the
Subject and Body text will vary. The attachment
name will also vary.
Note:
- Symantec products
that support Worm Blocking functionality
automatically detect this threat as it
attempts to spread.
- Due to a decreased rate of submissions,
Symantec Security Response has downgraded
W32.Mydoom.M@mm from a Category 4 to a
Category 3 as of July 28, 2004.
W32.Mydoom.M@mm is packed with UPX. |
|
Also Known As: |
W32/Mydoom.o@MM [McAfee], W32/MyDoom-O
[Sophos], WORM_MYDOOM.M [Trend], Win32.Mydoom.O
[Computer Associates] |
|
|
|
|
Type: |
Worm |
|
Infection Length: |
28,800 bytes |
|
|
|
|
Systems Affected: |
Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, Windows Server 2003,
Windows XP |
|
Systems Not Affected: |
DOS, Linux, Macintosh, Novell
Netware, OS/2, UNIX |
THREAT
ASSESSMENT
Wild
- Number of infections: 50 - 999
- Number of sites: More than 10
- Geographical distribution: Low
- Threat containment: Easy
- Removal: Moderate
Damage
- Payload Trigger: n/a
- Payload: n/a
- Large scale e-mailing: Uses its own SMTP engine to
send itself to the email addresses found in the
files with certain extensions.
- Deletes files: n/a
- Modifies files: n/a
- Degrades performance: Mass-mailing may clog mail
servers or degrade network performance.
- Causes system instability: n/a
- Releases confidential info: n/a
- Compromises security settings: n/a
Distribution
- Subject of email: Varies
- Name of attachment: Varies with .cmd, .bat, .com, .exe, .pif, .scr, or .zip file extension.
- Size of attachment: Varies
- Timestamp of attachment: n/a
- Ports: 1034
- Shared drives: n/a
- Target of infection: n/a
TECHNICAL
DETAILS
When W32.Mydoom.M@mm is executed, it performs the
following actions:
- Creates the following registry keys, which mark the
computer as infected:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Daemon
- HKEY_CURRENT_USER\Software\Microsoft\Daemon
- Copies itself as %Windir%\java.exe.
Note: %Windir% is a variable. The worm locates
the Windows installation folder (by default, this is
C:\Windows or C:\Winnt) and copies itself to that
location.
- Drops and executes %Windir%\services.exe, which is
detected as Backdoor.Zincite.A.
When executed, this file opens TCP port 1034 and listens
for remote connections. The backdoor will also probe
random IP addresses on port 1034 looking for other
infected hosts.
- Adds the values:
"Services" = "%Windir%\services.exe"
"JavaVM" = "%Windir%\java.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm and backdoor load when Windows starts.
- May create the following files for logging purposes:
- %Temp%\zincite.log
- %Temp%\<randomly named file>.log
- Gathers email addresses from files with the following
extensions:
- .adb
- .asp
- .dbx
- .ht*
- .php
- .pl
- .sht
- .tbb
- .tx*
- .wab
- Queries the following search engines to harvest
additional email addresses for possible distribution:
- search.lycos.com
- search.yahoo.com
- www.altavista.com
- www.google.com
- When the worm finds an open Outlook window, it will
attempt to send itself to the email addresses that it
found.
The email has the following characteristics:
From:
The From address will be spoofed.
Subject: (One of the following)
- hello
- error
- status
- test
- report
- delivery failed
- Message could not be delivered
- Mail System Error - Returned Mail
- Delivery reports about your e-mail
- Returned mail: see transcript for details
- Returned mail: Data format error
Body:
The content contained in the body of the email will
vary, based on a number of text options. One of each
of the phrases or words in brackets, separated by a
"|", will appear:
- Dear user {<recipient's email
address>|of <recipient's email domain>},{
{{M|m}ail {system|server}
administrator|administration} of <recipient's
email domain> would like to {inform you{
that{:|,}|}|let you know {that|the
following}{.|:|,}}|||||}
{We have {detected|found|received reports} that
y|Y}our {e{-|}mail |}account {has been|was} used to
send a {large|huge} amount of {{unsolicited{
commercial|}|junk} e{-|}mail|spam}{ messages|}
during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,}
your computer {had been|was} {compromised|infected{
by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden}
proxy server.
{Please|We recommend {that you|you to}} follow {our
|the |}instruction{s|} {in the {attachment|attached
{text |}file} |}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have
a nice day},
{<recipient's email domain> {user |technical
|}support team.|The <recipient's email domain>
{support |}team.}
- {The|This|Your} message was{ undeliverable|
not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered
because the destination {computer|server} was
{not |un}reachable within the allowed queue period.
The amount of time
a message is queued before it is returned depends on
local configura-
tion parameters.
Most likely there is a network problem that
prevented delivery, but
it is also possible that the computer is turned off,
or does not
have a mail system running right now.
- Your message {was not|could not be} delivered
within <random number> days:
{{{Mail s|S}erver}|Host} <host used to send the
email>} is not responding.
The following recipients {did|could} not receive
this message:
<<recipient's email address>>
Please reply to postmaster@{<sender's email
domain>|<recipient's email domain>}
if you feel this message to be in error.
The original message was received at [current time]{
| }from {<sender's email domain>
]|{<host used to send the email>]|
]}}
----- The following addresses had permanent fatal
errors -----
{<<recipient's email
address>>|<recipient's email address>}
{----- Transcript of {the ||}session follows -----
... while talking to {host |{mail |}server
||||}{<recipient's email domain>.|<host
used to send the email>]}:
{>>> MAIL F{rom|ROM}:[From address of mail]
<<< 50$d {[From address of mail]... |}{Refused|{Access
d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554
<<recipient's email address>>... {Mail
quota exceeded|Message is too
large}
554 <<recipient's email address>>...
Service unavailable|550 5.1.2 <<recipient's
email address>>... Host unknown (Name server:
host not found)|554 {5.0.0 |}Service unavailable;
] blocked using {relays.osirusoft.com|bl.spamcop.net}{,
reason: Blocked|}
Session aborted{, reason: lost
connection|}|>>> RCPT
To:<<recipient's email address>>
<<< 550 {MAILBOX NOT FOUND|5.1.1
<<recipient's email address>>... {User
unknown|Invalid recipient|Not known
here}}|>>> DATA
{<<< 400-aturner; %MAIL-E-OPENOUT, error
opening !AS as output
|}{<<< 400-aturner; -RMS-E-CRE, ACP file
create failed
|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA,
disk quota exceeded
|}<<< 400}|}
The original message was included as attachment
- {{The|Your} m|M}essage could not be delivered
Notes:
- <recipient's email address> is the
email address of the person receiving the email.
- <recipient's email domain> is the
domain of the receiver's email. For instance, if the
email address is john_doe@example.com, the domain is
"example.com."
- <sender's email domain> is the
domain of the sender's email. For instance, if the
email address is john_doe@example.com, the domain is
"example.com."
- <host used to send the email> is
name of the email server used by the infected
computer. The worm gathers this information from the
infected computer's registry.
Attachment:
The worm may generate an file name from a domain
name of an email address gathered from the computer.
For instance, if the worm finds an address john_doe@example.com
on the infected computer, the attachment name could
contain example.com.
The attachment name may also be one of the
following:
- readme
- instruction
- transcript
- mail
- letter
- file
- text
- attachment
- document
- message
with one of the following extensions:
- .cmd
- .bat
- .com
- .exe
- .pif
- .scr
- .zip
the attachment may have a second extension, which
will be one of the following:
- doc
- txt
- htm
- html
Notes:
- Approximately 30% of the time, the attachment will
be zipped. In these cases the attachment may be
compressed several times over.
- There is a 15% chance the worm will attach a small
junk file to the mail instead of a copy of itself.
The worm will not send itself to addresses that
contain the following strings:
- mailer-d
- spam
- abuse
- master
- sample
- accou
- privacycertific
- bugs
- listserv
- submit
- ntivi
- support
- admin
- page
- the.bat
- gold-certs
- feste
- not
- help
- foo
- soft
- site
- rating
- you
- your
- someone
- anyone
- nothing
- nobody
- noone
- info
- winrar
- winzip
- rarsoft
- sf.net
- sourceforge
- ripe.
- arin.
- google
- gnu.
- gmail
- seclist
- secur
- bar.
- foo.com
- trend
- update
- uslis
- domain
- example
- sophos
- yahoo
- spersk
- panda
- hotmail
- msn.
- msdn.
- microsoft
- sarc.
- syma
- avp
RECOMMENDATIONS
Symantec Security Response encourages all users and
administrators to adhere to the following basic security
"best practices":
- Turn off and remove unneeded services. By default,
many operating systems install auxiliary services that
are not critical, such as an FTP server, telnet, and a
Web server. These services are avenues of attack. If
they are removed, blended threats have less avenues of
attack and you have fewer services to maintain through
patch updates.
- If a blended
threat exploits one or more network services,
disable, or block access to, those services until a
patch is applied.
- Always keep your patch levels up-to-date, especially
on computers that host public services and are
accessible through the firewall, such as HTTP, FTP,
mail, and DNS services.
- Enforce a password policy. Complex passwords make it
difficult to crack password files on compromised
computers. This helps to prevent or limit damage when
a computer is compromised.
- Configure your email server to block or remove email
that contains file attachments that are commonly used
to spread viruses, such as .vbs, .bat, .exe, .pif and
.scr files.
- Isolate infected computers quickly to prevent
further compromising your organization. Perform a
forensic analysis and restore the computers using
trusted media.
- Train employees not to open attachments unless they
are expecting them. Also, do not execute software that
is downloaded from the Internet unless it has been
scanned for viruses. Simply visiting a compromised Web
site can cause infection if certain browser
vulnerabilities are not patched.
REMOVAL INSTRUCTIONS
Removal using the Removal Tool
Symantec Security Response has developed a removal
tool to clean the infections of
W32.Mydoom.M@mm. This is the preferred method in most
cases.
Manual Removal
The following instructions pertain to all current and
recent Symantec antivirus products, including the Symantec
AntiVirus and Norton AntiVirus product lines.
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Restart the computer in Safe mode or VGA mode.
- Run a full system scan and delete all the files
detected as W32.Mydoom.M@mm.
- Reverse the changes made to the registry.
For details on each of these steps, read the following
instructions.
1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend
that you temporarily turn off System Restore. Windows
Me/XP uses this feature, which is enabled by default, to
restore the files on your computer in case they become
damaged. If a virus, worm, or Trojan infects a computer,
System Restore may back up the virus, worm, or Trojan on
the computer.
Windows prevents outside programs, including antivirus
programs, from modifying System Restore. Therefore,
antivirus programs or tools cannot remove threats in the
System Restore folder. As a result, System Restore has the
potential of restoring an infected file on your computer,
even after you have cleaned the infected files from all
the other locations.
Also, a virus scan may detect a threat in the System
Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read
your Windows documentation, or one of the following
articles:
Note: When you are completely finished with the
removal procedure and are satisfied that the threat has
been removed, re-enable System Restore by following the
instructions in the aforementioned documents.
For additional information, and an alternative to
disabling Windows Me System Restore, see the Microsoft
Knowledge Base article, "Antivirus
Tools Cannot Clean Infected Files in the _Restore Folder,"
Article ID: Q263455.
2. To update the virus definitions
Symantec Security Response fully tests all the virus
definitions for quality assurance before they are posted
to our servers. Running LiveUpdate, which is the easiest way to
obtain virus definitions
3. To restart the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at
least 30 seconds, and then restart the computer in Safe
mode or VGA mode.
- For Windows 95, 98, Me, 2000, or XP users, restart
the computer in Safe mode. For instructions, read the
document, "How
to start the computer in Safe Mode."
- For Windows NT 4 users, restart the computer in VGA
mode.
4. To scan for and delete the infected files
- Start your Symantec antivirus program and make sure
that it is configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
W32.Mydoom.M@mm, click Delete.
5. To reverse the changes made to the registry
Important: Symantec strongly recommends that you back up the
registry before making any changes to it. Incorrect
changes to the registry can result in permanent data loss
or corrupted files. Modify the specified keys only. Read
the document, "How
to make a backup of the Windows registry,"
for instructions.
- Click Start > Run.
- Type regedit
Then click OK.
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the values:
"Services" = "%Windir%\services.exe"
"JavaVM" = "%Windir%\java.exe"
- Navigate to the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Daemon
HKEY_CURRENT_USER\Software\Microsoft\Daemon
and delete them.
- Exit the Registry Editor.
- Restart the computer in Normal mode. For
instructions, read the section on returning to Normal
mode in the document, "How
to start the computer in Safe Mode."
|
