Last Updated: 2004-07-27 15:11:12 UTC
by Johannes Ullrich (Version: 1)
Update (July 27th 2004)
Symantec reports that the 'Zindos.A' backdoor dropped by MyDoom-O is
used by a worm that will attempt to DDOS microsoft.com. Infected
systems will start the DDOS right after the worm is installed and
will scan for other vulnerable systems.
Infected systems can easily be identified by looking for port 1034 TCP
The latest version of MyDoom, which started arriving in people's mail boxes in force Monday morning, uses search engines to find more recipients for its message.
Like other viruses, MyDoom-O will search the infected system for valid
e-mail addresses. However, MyDoom-O uses a new twist to find additional
e-mail addresses. It will search four different search engines (Altavista,
Google, Lycos, Yahoo) for additional e-mail addresses within the domain
of e-mail addresses found locally (e.g. if it finds firstname.lastname@example.org,
it will search for additional addresses that end in @example.com).
Google and Lycos experienced significant problems as a result of the large
number of queries caused by MyDoom infected systems. However, there is
no evidence that this 'DDOS effect' was the purpose of the virus.
These MyDoom e-mails arrive in a number of different forms. Some claim to be
a bounce caused by a message the user sent earlier, others claim to be a
message from the users ISP claiming that the user sent spam and should run
the attached file.
The virus may be zipped, a plain executable or a screen saver (.scr).
Prior versions of MyDoom included a backdoor. Some Antivirus vendors report
that this version does as well. While we did observe this version to listen
on a number of ports, so far we have not been able to connect to them. However,
past versions of MyDoom required a particular header to accept the communication.
At this time, all Anti Virus vendors released updates to their signature
files, which will recognize this version of MyDoom. This version of MyDoom
is usually identified as 'M' or 'O'.
We highly recommend to download the latest signatures. As this is probably
not the last virus, we recommend reviewing your policy with respect to
attachments. Executable attachments should not be permitted. Finding a
sensible policy for zip files may be more difficult and should be tailored
to your business needs. We recommend PGP signed e-mail for attachments,
or a web based 'drop box'.
A password encrypted zip file will only help if the password is exchanged
in advance, if possible out of band (e.g. phone). In the past, viruses used
password encrypted zip files to fool anti virus engines.
MyDoom creates the executable files
C:\Windows\services.exe and java.exe, and executes them.
The following URL templates are used to query the search engines. '%s' is
replaced with the search string.
The agent id (User-Agent) is read from the registry and will match the internet explorer
version used on the infected host. The full request will look like:
GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+winternals.com HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
The virus is UPX packed, after unpacking, the following strings are evident:
(a) Strings that suggest that the virus attempts to decode obfuscated e-mail
(b) Mail headers for outbound mail
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
(c) Strings that are apparently used to avoid certain e-mail addresses:
MyDoom leaves a log file behind. On our test system, the log file was
dropped into C:\Documents and Setting\Locals~1\Temp\zincite.log
Sample Anti-Virus Policy
Anti Virus Vendor Links:
Johanns Ullrich, jullrich/AT/sans.org
Please choose a specific diary above to comment