|Detected||Oct 16 2004 13:46 GMT|
|Released||Oct 16 2004 14:06 GMT|
|Published||Oct 16 2004 13:46 GMT|
This worm is a modification of Mydoom.a. It spreads via the Internet as an attachment to infected emails and via the Kazaa file-sharing network.
The worm itself is a PE EXE file which is 51712 bytes in size, packed using UPX.
The worm is only activated if the user opens the archive and launches the infected file by doubling clicking on the attachment. The worm will then install itself on the system and commence its propagation routine.
The worm contains a backdoor component.
When installing, the worm copies itself under the name avpr.exe to the Windows system directory, and registers this file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Avpr"="%System%\avpr.exe"
This ensures that the worm will be launched every time the machine is rebooted.
The worm creates a file named tcp5424.dll in the Windows system registry. This file is the backdoor component, and it is also registered in the system registry:
This ensures that the DLL will be launched as an Explorer.exe child process.
The worm creates several additional key values in the system registry to flag its presence in the system:
And also creates the unique identifier 'My-Game' in memory.
The worm substitutes its own file for the the standard 'hosts' file in the Windows directory. This means that users of infected machines will be unable to access the following domains:
avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com kaspersky.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com mcafee.com my-etrust.com nai.com networkassociates.com rads.mcafee.com secure.nai.com securityresponse.symantec.com sophos.com symantec.com trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com viruslist.com viruslist.com www.avp.com www.ca.com www.f-secure.com www.kaspersky.com www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.pandasoftware.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com
The worm creates a file named msg15.txt in the Windows system directory which contains the following text:
Lucky's Av's ;P~. Sasser author gets IT security job and we will work with Mydoom , P2P worms and exploit codes .Also we will attack f-secure,symantec,trendmicro,mcafee , etc. The 11th of march is the skynet day lol . When the beagle and mydoom loose, we wanna stop our activity <== so Where is the Skynet now? lol.
This Will Drop W32.Scran P2P Worm
The worm also attempts to download a file named 'scran.jpg' from a specific site and to save it in the C: root directory under the name 'Scran.exe'. This file is Worm.P2P.Scranor.a, another network worm.
The worm's mass mailing function is almost identical to that of Mydoom.a.
The message body is composed of three parts, which are chosen at random from the three groups listed below.
Daily Report. here is the document. Important Information. Reply your document. Details are in the attached document. Kill the writer of this document! Monthly news report. Please answer quickly!. Please confirm!. Please read the attached file!. Please see the attached file for details. Please see the attached file for details Check the attached document. See the attached file for details Waiting for a Response. Please read the attachment. +++ AntiVirus - www.f-secure.com Norton AntiVirus - www.symantec.com +++ AntiVirus - www.kaspersky.com Panda AntiVirus - +++ Attachment: No Virus found +++ MessageLabs AntiVirus - www.messagelabs.com Bitdefender AntiVirus - +++ www.bitdefender.com MC-Afee AntiVirus - www.mcafee.com Kaspersky +++ www.pandasoftware.com Norman AntiVirus - www.norman.com F-Secure
'tcp5424.dll', which is installed by the worm, is a backdoor. The worm opens TCP port 5424 to receive commands.
The worm searches the system registry for the 'ICQ Net' and 'MsnMsgr' values and deletes them.
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.