Description
Cleaning Utility Available: To download ClnMydoom.zip - a utility that cleans a local machine affected by Win32.Mydoom.B and its variants, please click here.
This utility may be especially useful for those who either do not use CA Antivirus solutions, or who may be using products based on older technology that does not support system cleaning. Please view the Removal Instructions for your CA Antivirus Solution (below) to ascertain whether you require the cleaning utility.
Warning: Before running ClnMydoom.com, please ensure that you carefully review the ReadMe.txt instruction file that accompanies this utility.
--------------------
Win32.Mydoom.B is a worm spreading via e-mail. The worm has been distributed as 29,184-byte Win32 executable and may be included in a ZIP archive.
Method of Installation
When executed, the worm copies itself to the %System% directory as explorer.exe and modifies the registry in order to run at the next system re-start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "%System%\explorer.exe"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm also creates a file called CTFMON.DLL in the %System% directory. The dropped DLL registers itself in the registry:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\[Default] = "%System%\ctfmon.dll"
When executed, the worm creates the mutex "sync-v1.01__ipcmtx0" in order to make sure only one copy of the worm runs at a time.
When the worm is executed for the first time, there is a 20% chance that it will display the following fake error message:
The other 80% of the time, it creates a file in the Temp folder and displays it using notepad. The file is called "
Message", "
Body" or "
Email", and contains approximately between 4 and 12 kilobytes of randomly-generated characters.
The worm also creates two registry keys, which it uses to recognise that it has previously been run on the current machine:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
Method of Distribution
Via E-mail
The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension. The From address is 'spoofed'.
The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:
Delivery Error
Error
hello
hi
Mail Delivery System
Mail Transaction Failed
Returned mail
Server Report
Status
test
Unable to deliver the message
The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. Examples of Message Bodies used by the worm:
The message contains Unicode characters and has been sent as a binary attachment.
The message contains MIME-encoded graphics and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
sendmail daemon reported:
Error #804 occured during SMTP session. Partial message has been received.
The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment.
The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:
body
doc
text
document
data
file
readme
message
Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.
Examples of e-mail generated by the worm:
The worm is coded to stop spreading on 2nd March, 2004 (it will stop sending e-mails and spreading through KaZaA). However, even if the worm is executed after this date, it will still drop ctfmon.dll and activate the backdoor.
Via P2P File Sharing
The worm spreads through the KaZaA P2P file sharing network. It copies itself to the transfer folder using the following names:
attackXP-1.26
BlackIce_Firewall_Enterpriseactivation_crack
icq2004-final
MS04-01_hotfix
NessusScan_pro
winamp5
xsharez_scanner
zapSetup_40_148
Possible extensions are:
bat
exe
pif
scr
Payload
Backdoor Functionality
Win32.Mydoom.B opens and listens on TCP port 1080 (if this port is already in use, the worm tries the next free from: 3128, 80, 8080, 10080). It acts as a SOCKS proxy, and can be used to redirect network traffic through the affected system. In addition, it supports a backdoor command that allows other programs to be uploaded and executed on the compromised system.
The worm scans the network for open TCP port 3127. Once found, it sends a command and itself through the port for the remote machine to execute. Since Mydoom.A also listens for the same instruction, this seems to be an attempt to update the infection to the new worm variant.
MyDoom.B also tries to remove the previous variant, MyDoom.A. It attempts to kill the process "taskmon.exe", and to delete the file "shimgapi.dll" from both the system and temporary directories.
Blocks access to specific web sites
The worm modifies the HOSTS files every time it runs to prevent access to the following sites:
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
f-secure.com
fastclick.net
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.f-secure.com
www.fastclick.net
www.kaspersky.ru
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com
If the worm is executed after 3rd February, the line: "0.0.0.0 www.microsoft.com" is not written to the HOSTS file to allow connection to the Microsoft site.
The HOSTS file contains the mappings of IP addresses to host names (on XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the HOSTS file is located at %Windows%\hosts).
Denial of Service
The worm attempts to perform a Denial of Service attack against www.sco.com between 1st February and 1st March 2004 and against www.microsoft.com between 3rd February and 1st March 2004.
Note: At each machine restart, when the worm is executed via the registry modifications, even if the date falls in the period when the Denial of Service attacks are to occur, there is percentage chance that the worm will not attempt the attack. The percentage chance for each site is as follows:
- There is a 70% chance that the worm will attempt the DoS against Microsoft
- There is an 80% chance that the worm will attempt the DoS against SCO.
Analysis by Sha-Li Hsieh and Jakub Kaminski