|
MyDoom-O hits search engines hard
Update (July 27th 2004) Symantec reports that the 'Zindos.A' backdoor dropped by MyDoom-O is used by a worm that will attempt to DDOS microsoft.com. Infected systems will start the DDOS right after the worm is installed and will scan for other vulnerable systems. Infected systems can easily be identified by looking for port 1034 TCP scans. Overview The latest version of MyDoom, which started arriving in people's mail boxes in force Monday morning, uses search engines to find more recipients for its message. Like other viruses, MyDoom-O will search the infected system for valid e-mail addresses. However, MyDoom-O uses a new twist to find additional e-mail addresses. It will search four different search engines (Altavista, Google, Lycos, Yahoo) for additional e-mail addresses within the domain of e-mail addresses found locally (e.g. if it finds someone@example.com, it will search for additional addresses that end in @example.com). Google and Lycos experienced significant problems as a result of the large number of queries caused by MyDoom infected systems. However, there is no evidence that this 'DDOS effect' was the purpose of the virus. These MyDoom e-mails arrive in a number of different forms. Some claim to be a bounce caused by a message the user sent earlier, others claim to be a message from the users ISP claiming that the user sent spam and should run the attached file. The virus may be zipped, a plain executable or a screen saver (.scr). Prior versions of MyDoom included a backdoor. Some Antivirus vendors report that this version does as well. While we did observe this version to listen on a number of ports, so far we have not been able to connect to them. However, past versions of MyDoom required a particular header to accept the communication. At this time, all Anti Virus vendors released updates to their signature files, which will recognize this version of MyDoom. This version of MyDoom is usually identified as 'M' or 'O'. We highly recommend to download the latest signatures. As this is probably not the last virus, we recommend reviewing your policy with respect to attachments. Executable attachments should not be permitted. Finding a sensible policy for zip files may be more difficult and should be tailored to your business needs. We recommend PGP signed e-mail for attachments, or a web based 'drop box'. A password encrypted zip file will only help if the password is exchanged in advance, if possible out of band (e.g. phone). In the past, viruses used password encrypted zip files to fool anti virus engines. Details MyDoom creates the executable files C:\Windows\services.exe and java.exe, and executes them. The following URL templates are used to query the search engines. '%s' is replaced with the search string. http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s &nbq=%d http://www.altavista.com/web/results?q=%s&kgs=0&kls=0 &n=%d http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= &num=%d http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s The agent id (User-Agent) is read from the registry and will match the internet explorer version used on the infected host. The full request will look like:
The virus is UPX packed, after unpacking, the following strings are evident: (a) Strings that suggest that the virus attempts to decode obfuscated e-mail addresses .dot. _dot_ (dot) at _at_ (at) .at. (b) Mail headers for outbound mail
(c) Strings that are apparently used to avoid certain e-mail addresses: mailer-d spam abuse master sample accoun privacycertific bugs listserv submit ntivi support admin page the.bat gold-certs feste help soft site rating your someone anyone nothing nobody noone info winrar winzip rarsoft sf.net sourceforge ripe. arin. gnu. gmail seclist secur bar. foo.com trend update uslis domain example sophos yahoo spersk panda hotmail msn. msdn. microsoft sarc. syma <P> MyDoom leaves a log file behind. On our test system, the log file was dropped into C:\Documents and Setting\Locals~1\Temp\zincite.log Sample Anti-Virus Policy http://isc.sans.org/papers/antivirus.pdf Anti Virus Vendor Links: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127033 http://www.sophos.com/virusinfo/analyses/w32mydoomo.html http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html http://www.f-secure.com/v-descs/mydoom_m.shtml http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39711 http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=49861&sind=0 http://www.viruslist.com/eng/alert.html?id=1927068 http://www.grisoft.com/virbase/virbase.php?lng=us&type=web&action=view&qvirus=086fda5c5c9e7000 ------------------------------------------ Johanns Ullrich, jullrich/AT/sans.orgI will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022 |
Johannes 4349 Posts ISC Handler Jul 27th 2004 |
| Thread locked Subscribe |
Jul 27th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
