Email-Worm.Win32.Mydoom.b

Technical Details

Mydoom.b is a modification of Mydoom.a that spreads via the Internet in the form of files attached to infected messages and via the Kazaa file-sharing network. The worm itself is a Windows PE EXE file of 29184 bytes, compressed using UPX and PE-Patch. The decompressed file is approximately 49KB in size.

The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.

The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the sites www.sco.com and www.microsoft.com.

Part of the body of the worm is encrypted.

The unpacked file contains the following text:

(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)

Installation

Following launch, the worm opens Windows Notepad, showing a random selection of symbols:

During installation, the worm copies itself under the name explorer.exe to the Windows system directory, and registers this file in the system registry auto-run key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "TaskMon" = "%System%\explorer.exe"

The worm creates the file ctfmon.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
 "Apartment" = "%SysDir%\ctfmon.dll"

Ctfmon.dll will therefore launch as a procedure linked to Explorer.exe.

The worm also creates a file called Body in the temporary directory (usually in %windir%\temp). This file contains a random selection of symbols.

So that the worm can identify itself in the system, it creates several additional keys in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version]

While running it also creates a unique identifier sync-v1.01__ipcmtx0.

Mydoom.b replaces the standard file 'hosts' in the Windows directory into with its own version (under the same name). This file will now prevent user access to the following domains:

ad.doubleclick.net ad.fastclick.net ads.fastclick.net ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net banner.fastclick.net banners.fastclick.net ca.com click.atdmt.com clicks.atdmt.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net fastclick.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com media.fastclick.net msdn.microsoft.com my-etrust.com nai.com networkassociates.com

office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.fastclick.net www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.ru www3.ca.com

Mailing letters

Emails are sent in the same way that Mydoom.a uses except for the following changes.

The body text is chosen at random from the following:

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received

The message contains Unicode characters and
has been sent asa binary attachment.

The message contains MIME-encoded graphics and
has been sent as a binary attachment

Mail transaction failed. Partial message is available.

Mydoom.b might also send emails with random strings of characters in the subject, body and attachment name.

Propagation via P2P

The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names:

NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final

with the following extensions:

bat
exe
scr
pif