F-Secure Virus Descriptions : MyDoom.BB
[Summary] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
| NAME: | MyDoom.BB |
| ALIAS: | MyDoom.M, Email-Worm.Win32.Mydoom.m, W32/Mydoom.bb@MM |
| ALIAS: | W32/MyDoom-O, W32.Mydoom.AX@mm, Mydoom.AU, WORM_MYDOOM.BB |
MyDoom.BB appeared on February 17th, 2005. Like the previous variants,
it is a massmailer that sends infected messages with various subject
lines and body messages.
The worm's body is a Windows PE executable file compressed with
the MEW executable compressor. It's most likely binary patched
and repacked version of the older Mydoom variant, Mydoom.M.
Installation to system
When run, the worm copies itself to Windows directory as "java.exe".
It also drops and executes file "services.exe" which is a backdoor
component listening on port 1034.
The worm installs the following registry key for ensuring it will
be executed when system is started:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JavaVM" = "%WinDir%\java.exe"
The backdoor installs the following keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
or
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Services" = "%WinDir%\services.exe"
The worm also creates the following registry key if it doesn't exist:
[HKLM\Software\Microsoft\Daemon]
Then the worm creates a mutex named
%hostname%root
to avoid running more than once simultaneously. The mutex name
is converted upper case before installing. %hostname% presents
name of the computer as returned by gethostname.
The worm also tries to hide its process by issuing Win32 call
RegisterServiceProcess.
Spreading in e-mails
The worm spreads by sending its infected attachment to all e-mail
addresses found on an infected computer. The worm looks for
e-mail addresses in Windows Address Book, and in the files with
the following extensions:
pl.
ph.
tx.
ht.
asp
sht
adb
dbx
wab
It also tries to find addresses by querying the following web-based
search engines:
search.lycos.com
www.altavista.com
search.yahoo.com
www.google.com
The worm avoids sending e-mails to e-mail addresses that contain
any of the following substrings:
mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
feste
help
soft
site
rating
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
It should be noted that the worm uses a much improved algorithm
for e-mail address recognition. Now it can catch such e-mail
addresses as:
peter@nospam.domain.com
peter-at-domain-dot-com
peter at domain dot com
peter[at]domain[dot]com
These addresses are translated by the worm to the usable format.
The worm spreads itself in e-mail messages. The e-mail message is
composed from randomly chosed subject line, body text and
additional parts.
Subject line can be one of the following:
hello
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
Body text can be one of the following:
{{The|Your} m|M}essage could not be delivered
The original message was included as attachment
The original message was received at $w{ | }from {$F [$i]|{$i|[$i]}}
----- The following addresses had permanent fatal errors -----
{<$t>|$t}
{----- Transcript of {the ||}session follows -----
... while talking to {host |{mail |}server ||||}{$T.|$i}:
{>>> MAIL F{rom|ROM}:$f
<<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blac
klisted}}|554 <$t>... {Mail quota exceeded|Message is too large}
554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: hos
t not found)|554 {5.0.0 |}Service unavailable; [$i] blocked using {relays.osirus
oft.com|bl.spamcop.net}{, reason: Blocked|}
Session aborted{, reason: lost connection|}|>>> RCPT To:<$t>
<<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not kno
wn here}}|>>> DATA
{<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed
|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
|}<<< 400}|}
{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
Your message {was not|could not be} delivered because the destination {computer|
server} was {not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message {was not|could not be} delivered within $D days:
{{{Mail s|S}erver}|Host} $i is not responding.
The following recipients {did|could} not receive this message:
<$t>
Please reply to postmaster@{$F|$T}
if you feel this message to be in error.
Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} o
f $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|
:|,}}|||||}
{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {ha
s been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|ju
nk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was}
{compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{e
d|}|hidden} proxy server.
{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in t
he {attachment|attached {text |}file} |}in order to keep your computer safe.
{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{$T {user |technical |}support team.|The $T {support |}team.}
Words enclosed in the brackets provide some variation to the
message body text. For example, one of the final messages might
look like this:
The message was not delivered due to the following reason:
Your message could not be delivered because the destination computer
was unreachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message could not be delivered within 30 days:
Host mail.testnet is not responding.
The following recipients did not receive this message:
johndoe@testnet
Please reply to postmaster@testnet
if you feel this message to be in error.
The attachment filename is composed of one the following filenames:
readme
instruction
transcript
mail
letter
file
text
attachment
document
with one of the following extensions appended:
scr
pif
exe
com
bat
cmd
Payload
When the worm's file is run, it tries to download and execute
additional file before executing the main component. This file
is a backdoor detected as 'Backdoor.Win32.Surila.o'. This functionality
is patched in the worm's binary.
The worm also drops a backdoor component that listens on port 1034/TCP.
Connecting to the port the attacker can upload and execute arbitrary files
and get the list of infected computers.
Mydoom.BB also tries to open Window objects and kill Outlook and Internet
Explorer if they are running. It attempts to do this by sending Windows
messages WM_QUIT, WM_CLOSE and WM_DESTROY to main Window objects of the
applications.
F-Secure Anti-Virus detects Email-Worm.Win32.Mydoom.m worm with the following
update:
[FSAV_Database_Version]
Version=2004-07-26_04
Technical Details:
Jarkko Turkulainen; February 17th, 2005;
F-Secure Corporation
|
