MyDoom-O hits search engines hard. - SANS Internet Storm Center

MyDoom-O hits search engines hard.
MyDoom-O hits search engines hard Update (July 27th 2004) Symantec reports that the 'Zindos.A' backdoor dropped by MyDoom-O is used by a worm that will attempt to DDOS microsoft.com. Infected systems will start the DDOS right after the worm is installed and will scan for other vulnerable systems. Infected systems can easily be identified by looking for port 1034 TCP scans. Overview The latest version of MyDoom, which started arriving in people's mail boxes in force Monday morning, uses search engines to find more recipients for its message. Like other viruses, MyDoom-O will search the infected system for valid e-mail addresses. However, MyDoom-O uses a new twist to find additional e-mail addresses. It will search four different search engines (Altavista, Google, Lycos, Yahoo) for additional e-mail addresses within the domain of e-mail addresses found locally (e.g. if it finds someone@example.com, it will search for additional addresses that end in @example.com). Google and Lycos experienced significant problems as a result of the large number of queries caused by MyDoom infected systems. However, there is no evidence that this 'DDOS effect' was the purpose of the virus. These MyDoom e-mails arrive in a number of different forms. Some claim to be a bounce caused by a message the user sent earlier, others claim to be a message from the users ISP claiming that the user sent spam and should run the attached file. The virus may be zipped, a plain executable or a screen saver (.scr). Prior versions of MyDoom included a backdoor. Some Antivirus vendors report that this version does as well. While we did observe this version to listen on a number of ports, so far we have not been able to connect to them. However, past versions of MyDoom required a particular header to accept the communication. At this time, all Anti Virus vendors released updates to their signature files, which will recognize this version of MyDoom. This version of MyDoom is usually identified as 'M' or 'O'. We highly recommend to download the latest signatures. As this is probably not the last virus, we recommend reviewing your policy with respect to attachments. Executable attachments should not be permitted. Finding a sensible policy for zip files may be more difficult and should be tailored to your business needs. We recommend PGP signed e-mail for attachments, or a web based 'drop box'. A password encrypted zip file will only help if the password is exchanged in advance, if possible out of band (e.g. phone). In the past, viruses used password encrypted zip files to fool anti virus engines. Details MyDoom creates the executable files C:\Windows\services.exe and java.exe, and executes them. The following URL templates are used to query the search engines. '%s' is replaced with the search string. http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s &nbq=%d http://www.altavista.com/web/results?q=%s&kgs=0&kls=0 &n=%d http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= &num=%d http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s The agent id (User-Agent) is read from the registry and will match the internet explorer version used on the infected host. The full request will look like: GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+winternals.com HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: search.lycos.com Connection: Keep-Alive The virus is UPX packed, after unpacking, the following strings are evident: (a) Strings that suggest that the virus attempts to decode obfuscated e-mail addresses .dot. _dot_ (dot) at _at_ (at) .at. (b) Mail headers for outbound mail X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Content-Type: multipart/mixed; boundary="%s" MIME-Version: 1.0 Date: Subject: %s To: %s From: %s (c) Strings that are apparently used to avoid certain e-mail addresses: mailer-d spam abuse master sample accoun privacycertific bugs listserv submit ntivi support admin page the.bat gold-certs feste help soft site rating your someone anyone nothing nobody noone info winrar winzip rarsoft sf.net sourceforge ripe. arin. google gnu. gmail seclist secur bar. foo.com trend update uslis domain example sophos yahoo spersk panda hotmail msn. msdn. microsoft sarc. syma <P> MyDoom leaves a log file behind. On our test system, the log file was dropped into C:\Documents and Setting\Locals~1\Temp\zincite.log Sample Anti-Virus Policy http://isc.sans.org/papers/antivirus.pdf Anti Virus Vendor Links: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127033 http://www.sophos.com/virusinfo/analyses/w32mydoomo.html http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html http://www.f-secure.com/v-descs/mydoom_m.shtml http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39711 http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=49861&sind=0 http://www.viruslist.com/eng/alert.html?id=1927068 http://www.grisoft.com/virbase/virbase.php?lng=us&type=web&action=view&qvirus=086fda5c5c9e7000 ------------------------------------------ Johanns Ullrich, jullrich/AT/sans.orgDefending Web Applications Security Essentials - Secure DevOps Summit & Training 2018	Johannes 3352 Posts ISC Handler
Reply Subscribe	Jul 27th 2004 1 decade ago