FRISK Software International


Summary of W32/Mydoom.B@mm
Alias:Novarg, Win32.Mydoom.B, Mydoom.B, WORM_MYDOOM.B
Length: 29.184 bytes
Discovered: 28 Jan 2004
Definition files: 28 Jan 2004
Risk Level: Low
Distribution:Low
Infection Method:Infected e-mails, P2P file-sharing, network spreading
Payload: Mass mailing, system security compromise
 
Jump to:
Technical description
Removal Instructions

Technical Description
Upon execution the W32/Mydoom.B@mm, will attempt to locate and remove W32/Mydoom.A@mm from the infected system. First by scanning the memory, looking for processes with executable modules under the name of 'taskmon.exe', then for processes with the name 'taskmon.exe'. If a process is found in either of the routines, W32/Mydoom.B@mm, will attempt to terminate the process.
It will also attempt to locate and delete the shimgapi.dll, which is the name of the backdoor the A variant dropped, from both the system directory as well as the default temporary folder in current use.

W32/Mydoom.B@mm creates two files in the system directory:

%system_dir%\ctfmon.dll [6.144 bytes]
This is a backdoor component of W32/Mydoom.B@mm. Compressed with UPX and obfuscated with UPXredir.

%system_dir%\explorer.exe [29.184 bytes]
This is an identical copy of the worm.

The worm retrieves the current system date at this point of execution. If the date has passed the 1st of March 2004, the worm stops its execution.

The following registry modifications are made by the worm:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
The worm adds the value ="%system_dir%\ctfmon.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Explorer"="%system_dir%\explorer.exe"


The W32/Mydoom.B@mm overwrites the 'hosts' file, used by Windows to assist in resolving domain names. This file is located at 'system32\drivers\etc\hosts'. It will overwrite it, adding a pointer to 0.0.0.0 for the following domain names (if the date set for the DoS routine against Microsoft has not passed, it will append the domain name of 'www.microsoft.com' to the end of the hosts file:

engine.awaps.net, awaps.net, www.awaps.net, ad.doubleclick.net,
spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net
ads.fastclick.net banner.fastclick.net banners.fastclick.net
www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
ftp.f-secure.com securityresponse.symantec.com
www.symantec.com symantec.com service1.symantec.com
liveupdate.symantec.com update.symantec.com updates.symantec.com
support.microsoft.com downloads.microsoft.com
download.microsoft.com windowsupdate.microsoft.com
office.microsoft.com msdn.microsoft.com go.microsoft.com
nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com
networkassociates.com avp.ru www.avp.ru www.kaspersky.ru
www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
download.mcafee.com mast.mcafee.com www.trendmicro.com
www3.ca.com ca.com www.ca.com www.my-etrust.com
my-etrust.com ar.atwola.com phx.corporate-ir.net

These modifications lead to the system being unable to connect to the domains listed in the hosts file, through regular means.


Similar to the A variant, the worm has a routine intended to perform a DoS attack on the domain www.sco.com on the 1st of February 2004. This attack is similar to that of the A variant, except for the fact that this variant will use 7 additional threads to the main one when performing the actual DoS attack.
Each thread will issue a [GET /HTTP/1.1 Host: www.sco.com] request to the domain, with a 512 millisecond delay.

It will carry out a similar attack on 'www.microsoft.com' on the 3rd of february 2004.

The W32/Mydoom.B@mm will carry out network scanning routines, in paralell with the mass-mailing routine. The network scanning routine will scan for IP's listening on port 3127. This is the port, that the backdoor of the A variant listens on by default. Once an infected host is found, using the 'File-upload' signature supported by the backdoor of the A variant, a copy of the worm will be uploaded and executed, thus updating the infection.
The scanning routine is rather simple, it will begin by scanning part of the last octed of the current IP address, such as: xxx.xxx.xxx.1, xxx.xxx.xxx.2, xxx.xxx.xxx.3, after which it will scan IP's at random.

The mass mailing part of W32/Mydoom.B@mm is similar to the A variant in many ways. For a detailed description of the search routine as well as the mass mailing routine, consult the technical description of the W32/Mydoom.A@mm.
The B variant has added a new message body that it chooses from at random when sending out infected e-mails:
    "Sendmail daemon reported:"
    "Error #804 occured during SMTP session. Partial message has been received".

Typical e-mails sent out by the W32/Mydoom.B@mm might look like the following:


[From:] Forged address
[Subject:] Returned mail
[Body:] Long strings of garbled data
[Attachment:] doc.zip (~29 KB)



[From:] Forged address
[Subject:] Test
[Body:] "The message contains Unicode characters and has been sent as a binary attachment."
[Attachment:] "random characters".exe (29~ KB)



[From:] Forged address
[Subject:] Hello
[Body:] "Mail transaction failed. Partial message is available"
[Attachment:] body.zip (~29 KB)



Removal Instructions

Please follow the appropriate instructions for your system. Both the DOS scanner and the Command-line scanner are included in F-Prot Antivirus for Windows:

DOS Scanner:


For Windows 95/98/ME:

To boot into DOS press START \ SHUT DOWN \ RESTART IN MS-DOS MODE.

Windows ME users need to use a Windows startup disk.

In DOS mode at the command prompt type:

cd \        [ENTER]
cd progra~1        [ENTER]
cd fsi        [ENTER]
cd f-prot        [ENTER]
f-prot.exe        [ENTER]

We are assuming here that F-Prot Antivirus was installed in the default location. Set the scanner to "Automatic disinfection".



Command-line Scanner:


For Windows 2000/XP:

Click on START \ SHUT DOWN \ RESTART. As the computer is booting up press the F8 key and from the menu select:

"Safe mode with Command prompt"

At the command prompt type:

cd \       [ENTER]

cd "program files"       [ENTER]

cd fsi        [ENTER]

cd f-prot       [ENTER]

fpcmd c: /disinf /auto /list        [ENTER]

NB! Please note that the scanning must be done for each drive individually.

When the scanning is done and the system is clean, then restart the computer.



For Windows NT 4.0:

Restart the computer in SVGA mode (Safe Mode)

1. Click "Start" / "Run" / type "cmd"         [ENTER]

2. Command prompt window appears.

3. Press "Ctrl-Alt-Del" once and click on "Processes".

4. In "Processes" find "Explorer.exe" and select "End process". The Desktop will disappear and only the background/wallpaper and the command prompt window will be visible.

5. In the command prompt window type the following:



cd \       [ENTER]

cd "program files"       [ENTER]

cd fsi        [ENTER]

cd f-prot       [ENTER]

fpcmd c: /disinf /auto /list       [ENTER]

NB! Please note that the scanning must be done for each drive individually.

When the scanning is done and the system is clean, then restart the computer.




 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is