The W32/Mydoom.A@mm is a mass-mailing worm with certain payloads. Written in C++, the worm is compressed with the UPX executable packer and is 22.528 bytes in size. The worm contains several encrypted strings that are decrypted as needed using the same decryption routine. On infection the worm executes notepad displaying a meaningless jumble of data.
The worm carries out a query for certain information, contained within the registry, regarding the 'explorer.exe' on the system. If that information is not accessible, the worm will create a mutex lock in memory with the identification 'SwebSipcSmtxS0'.
The worm places two files under the system directory when executed:
%system_dir%\shimgapi.dll
-This file is the backdoor component of the W32/Mydoom.A@mm worm.
%system_dir%\taskmon.exe
-This file is an exact copy of the worm.
The worm retrieves the system date, if the date has passed the 11th of february 2004, it exits at this point without any further action.
The worm searches the registry for the presence of 'Kazaa', a file-sharing program. If found, the worm places a copy of itself in the Kazaa 'Shared folder', with a name chosen randomly from the following list with an extension of '.bat', '.exe', '.scr', or '.pif':
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
winamp5
The worm contains a routine intended to perform a DoS (Denial of Service) attack against the domain www.sco.com. The routine will start late on sunday the 1st of February. First the worm will determine whether an internet connection is present, if it is, the worm will set up 63 individual threads. Then, after a short waiting period, each of the threads will issue a 'GET /HTTP/1.1' request to the server address resolved for the domain name 'www.sco.com'.
To ensure that the worm is executed when Windows is started, the worm creates the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMon"="%system_directory%\taskmon.exe"
If this key is not successfully created, it tries to create a similar key under the current user ID in the registry:
[HKEY_CURRENT_USER\{User ID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMon"="%system_directory%\taskmon.exe"
Mass mailing
To gather e-mail addresses, the worm looks through each entry in the Windows Address Book (WAB), as well as searching fixed drives on the computer, for files with any one of the following extensions: .adb, .tbb, .dbx, .asp, .php, .sht, .htm., .wab, .pl and .txt
Each message is parsed by the worm. During this routine it performs several tests on the harvested e-mail addresses, such as a simple validation of the address, a comparison with several hardcoded names inside the worm's body. The outcome of these routines depends on whether or not the worm sends an infected message to that particular address.
The worm attempts to construct addresses for domains that he has already harvested valid e-mail addresses from. The worm contains a list of names, used for that purpose. The list is contained within the worms body, examples of these names are the following:
'john' 'john' 'alex' 'michael' 'james' 'mike' 'kevin' 'david' 'george' 'sam' 'andrew' 'jose' 'leo' 'maria' 'jim' 'brian' 'serg' 'mary' 'ray' 'tom' 'peter' 'robert' 'bob' 'jane' 'joe' 'dan' 'dave' 'matt' 'steve' 'smith' 'stan' 'bill' 'bob' 'jack' 'fred' 'ted' 'adam' 'brent' 'alice' 'anna' 'brenda' 'claudia' 'debby' 'helen' 'jerry' 'jimmy' 'julie' 'linda' 'sandra'.
The W32/Mydoom.A@mm, has a built-in routine to communicate with SMTP servers. By using this routine, the worm is able to forge the FROM: address, that appears to the end-user.
For the FROM: field, the worm usually uses an harvested e-mail address from the infected system, or it blends it with predefined names inside the worms body. The worm is also able to retrieve the addresses of remote SMTP servers through MX record queries.
The e-mails sent by W32/Mydoom.A@mm have the following signature:
The subject can be one of the following, note that these subjects can appear all in lowercase letters, all in uppercase or in a mixture of the two:
Error
Status
Test
Hi
Hello
Server Report
Mail Delivery System
Mail Transaction Failed
Attachments can have any one of the following names:
'document', 'body', 'message', readme', 'doc', 'text', 'file', 'data', 'test'.
The extensions can be any of the following: '.scr', '.zip', '.pif', '.exe', '.cmd', '.bat'.
The worm can at times send out infected e-mails that contain obscure subjects, this is due to an internal error. Those subjects might appear as a string of characters, such as 'jjuvabzujznniidx' or 'wgxtvooelr', the worm also sends out e-mails with a blank subject.
The message body can be one of the following:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
test
Typical e-mail sent out by the W32/Mydoom.A@mm might look like the following:
[FROM:] 'Forged address'
[Subject:] 'Test'
[Body:] 'The message contains Unicode characters and has been sent as a binary attachment'
[Attachment:] 'body.zip'
[FROM:] 'Forged address'
[Subject:] 'Server Report'
[Body:] 'test'
[Attachment:] 'file.zip'
Backdoor
The W32/Mydoom.A@mm drops a file under the system directory of the infected system under the name of 'shimgapi.dll'. This file serves as a backdoor to the infected system. The actual backdoor is installed to the system by adding the value:
'%system directory%\shimgapi.dll' to the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
Using this method, the backdoor 'shimgapi.dll' is loaded into the address space of 'explorer.exe'. The backdoor itself does not appear as an individual process, instead it's running as a module inside explorer.exe. This backdoor will bind itself to a TCP socket, on the range of 3127 to 3198, using the first available port number.
This backdoor enables un-authorized persons to take a variety of actions remotely on the local system, such as file-upload, executing files on the local system etc.
|
