Date: 29 January 2004
References:
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0075 -- US CERT Technical Alert
TA04-028A MyDoom.B Rapidly Spreading
29 January 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Publisher: US-CERT
Operating System: Windows
Impact: Reduced Security
Distributed Denial of Service
Access Required: Remote
Ref: AL-2004.02
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MyDoom.B Rapidly Spreading
Mydoom.B is a new variant of the Mydoom worm and is about 29,184
bytes. This variant attempts to perform a Distributed Denial of
Service (DDoS) attack against Microsoft.com. Details regarding this
new worm are still emerging, but it has been validated as spreading in
the wild. Facts about the worm will be further qualified with follow
up reports following this initial analysis.
For the latest information about this worm from US-CERT, readers are
encouraged to visit http://www.us-cert.gov/cas/techalerts/TA04-028A.html.
E-mails sent out by Mydoom.B are highly randomized. The From address
may be spoofed to include one of the following domains: aol.com,
msn.com, yahoo.com and hotmail.com. A randomized string value may then
be combined with these to generate new e-mails. This may result in
overload e-mail servers with many false addresses and auto-replies
associated with such traffic.
The subject is randomized to include one of the following
following:
* Delivery Error
* hello
* Error
* Mail Delivery System
* Mail Transaction Failed
* Returned mail
* Server Report
* Status
* Unable to deliver the message
The subject may also contain randomized data as seen in a recent live
sample: "RE: I still love you fLctv".
The message body is also randomized to include one of the
following:
* RANDOMIZED CHARACTERS
* test
* The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
* sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received.
* The message contains Unicode characters and has been sent as a
binary attachment.
* The message contains MIME-encoded graphics and has been sent as a
binary attachment.
* Mail transaction failed. Partial message is available.
The attachments have a randomized filename selected from one of the
following string values:
* body
* doc
* text
* document
* data
* file
* readme
* message
The randomized string value is then combined with a randomized
extension: .exe, .bat, .scr, .cmd or .pif. If the malicious attachment
is executed, it then opens notepad.exe and displays garbled data
(binary).
Once executed, the worm attempts to create the following files in the
Windows System directory: explorer.exe and dtfmon.dll. The Windows
registry is then modified to run the worm in memory upon Windows
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Explorer=C:WINDOWS SYSTEM DIRECTORY\explorer.exe
The DLL component is associated with a backdoor feature of this worm.
It is likely that this Trojan worms like the one in Mydoom.A. It scans
through a range of TCP addresses looking for inbound TCP traffic.
Inbound TCP traffic can be used to configure the infected computer as
a proxy computer or to install code of choice on the infected
computer. More importantly, attackers are already working on tools to
hijack Mydoom infected computers to install code of choice.
The DDoS attack of Mydoom.B is against www.microsoft.com. There is
information claiming that it may also be directed at sco.com, but this
is unsubstantiated at this time. It appears that the more credible
data is that it only performs a DDoS attack against www.microsoft.com,
though a previosu version of the virus is confirmed to attack SCO.
To spread over the KaZaA P2P network, Mydoom.B creates copies of
itself in the KaZaA shared directory with randomized filenames.
Filenames include:
* attackXP-1.26
* BlackIce_Firewall_Enterpriseactivation_crack
* MS04-01_hotfix
* NessusScan_pro
* icq2004-final
* winamp5
* xsharez_scanner
* zapSetup_40_148
A randomized extension is then added to the filename selected above,
being .exe, .scr, .pif or .bat.
Mydoom.B attempts to harvest e-mails from Temporary Internet files as
well as via randomized e-mails aforementioned. It does not include any
e-mails containing the following strings: abuse, accoun, certific,
listserv, ntivi, icrosoft, admin, page, the.bat, gold-certs, feste,
submit, help, service, privacy, somebody, soft, contact, site, rating,
bugs, your, someone, anyone, nothing, nobody, noone, webmaster,
postmaster, support, samples, info, root, ruslis, nodomai, mydomai,
example, inpris, borlan, nai., sopho, foo., .mil, gov., .gov, panda,
icrosof, syma, kasper, mozilla, utgers.ed, tanford.e, acketst, secur,
isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, iana, usenet,
fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix,
berkeley and spam.
Mydoom.B also opens TCP port 10080. The worm contains the following
string: "sync-1.01; andy; I'm just doing my job, nothing personal,
sorry".
Alias: Mydoom, Novarg, Mydoom.B
Sources:
F-Secure Corp. (http://www.f-secure.com/v-descs/mydoom_b.shtml),
Jan. 28, 2004
Bit Defender
(http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=186),
Jan. 28, 2004
iDEFENSE Intelligence Operations, Jan. 28, 2004 Sensible Security
Solutions Inc. (http://www.sss.ca/), Jan. 28, 2004
According to iDEFENSE, this new variant of Mydoom appears to have
different MIMI data for malicious e-mails. The content type appears to
be plain text and includes a ZIP extension. Mydoom.A had a content
type of application/octet-stream and multipart/mixed data. It is
likely that this newest variant of Mydoom will become very widespread
in the wild. The first variant had well over 3M interceptions by just
two sources in the first 18 hours of the outbreak.
Look for questionable files about 29,184 bytes. Look for notepad.exe
to be opened, displaying binary data (garbled text). Also look for the
Windows registry created by the worm.
Recovery: Remove all files and the Windows registry key modifications
associated with this malicious code threat. Restore corrupted or
damaged files with clean backup copies.
Workaround: Configure e-mail servers and workstations to block file
types commonly used by malicious code to spread to other computers.
Block ZIP and executable extensions on the gateway and groupware
level. Also monitor traffic on the network and block ports associated
with Mydoom, especially inbound TCP ports for the backdoor Trojan
component and the outbound TCP 10080 port data. Administrators may
also find value in monitoring traffic associated with the DDoS
component. Carefully manage all new files, scanning them with updated
anti-virus software using heuristics prior to use.
Vendor Fix: Anti-virus vendors will likely release updated signature
files to protect against this malicious code in the near future. Some
anti-virus applications may detect this malicious code heuristically.
Name of Malicious Code: Mydoom.B
Aliases:
Mydoom.B
Mydoom
Novarg
Size in Bytes: 29184
Subjects: RE: I still love you fLctv
Body: Error 551: We are sorry your UTF-8 encoding is not supported
by the server, so the text was automatically zipped and attached to
this message.
Attachments: message.zip
This document was developed based on material contributed by iDEFENSE.
Our thanks for their contribution.
Last updated January 28, 2004
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAGEufXlvNRxAkFWARAjEOAJ92cfCtcUVX+/6CGoRwGj7mIbxhzQCg0mdJ
/ip1ThurA7opfYb0JUET2UI=
=j+iB
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQBiJQCh9+71yA2DNAQGRDAQAjwAerUZQeeRlgIF0Y8VeZ4Fcvaq7s1hK
jmUisWd4gLinU+PohgVml8LNDEGakFyMicUWHALKIOIbp81iq2vB03Eus/wncitR
K2KvLLQQerRT1NbhRAeLKCZJQ0UahzyIYNy4eJOn8ETBdwf9BrekgUdtzE6Ws4hK
wc3vt+a2MIs=
=jiKS
-----END PGP SIGNATURE-----
|