MyDoom-O hits search engines hard

Update (July 27th 2004)

Symantec reports that the 'Zindos.A' backdoor dropped by MyDoom-O is
used by a worm that will attempt to DDOS microsoft.com. Infected
systems will start the DDOS right after the worm is installed and
will scan for other vulnerable systems.

Infected systems can easily be identified by looking for port 1034 TCP
scans.

Overview

The latest version of MyDoom, which started arriving in people's mail boxes in force Monday morning, uses search engines to find more recipients for its message.

Like other viruses, MyDoom-O will search the infected system for valid
e-mail addresses. However, MyDoom-O uses a new twist to find additional
e-mail addresses. It will search four different search engines (Altavista,
Google, Lycos, Yahoo) for additional e-mail addresses within the domain
of e-mail addresses found locally (e.g. if it finds someone@example.com,
it will search for additional addresses that end in @example.com).

Google and Lycos experienced significant problems as a result of the large
number of queries caused by MyDoom infected systems. However, there is
no evidence that this 'DDOS effect' was the purpose of the virus.

These MyDoom e-mails arrive in a number of different forms. Some claim to be
a bounce caused by a message the user sent earlier, others claim to be a
message from the users ISP claiming that the user sent spam and should run
the attached file.

The virus may be zipped, a plain executable or a screen saver (.scr).

Prior versions of MyDoom included a backdoor. Some Antivirus vendors report
that this version does as well. While we did observe this version to listen
on a number of ports, so far we have not been able to connect to them. However,
past versions of MyDoom required a particular header to accept the communication.

At this time, all Anti Virus vendors released updates to their signature
files, which will recognize this version of MyDoom. This version of MyDoom
is usually identified as 'M' or 'O'.
We highly recommend to download the latest signatures. As this is probably
not the last virus, we recommend reviewing your policy with respect to
attachments. Executable attachments should not be permitted. Finding a
sensible policy for zip files may be more difficult and should be tailored
to your business needs. We recommend PGP signed e-mail for attachments,
or a web based 'drop box'.

A password encrypted zip file will only help if the password is exchanged
in advance, if possible out of band (e.g. phone). In the past, viruses used
password encrypted zip files to fool anti virus engines.

Details

MyDoom creates the executable files
C:\Windows\services.exe and java.exe, and executes them.

The following URL templates are used to query the search engines. '%s' is
replaced with the search string.

http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s
&nbq=%d

http://www.altavista.com/web/results?q=%s&kgs=0&kls=0
&n=%d

http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
&num=%d

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s
The agent id (User-Agent) is read from the registry and will match the internet explorer
version used on the infected host. The full request will look like:

GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+winternals.com HTTP/1.1 

Accept: */* 

Accept-Encoding: gzip, deflate 

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) 

Host: search.lycos.com 

Connection: Keep-Alive

The virus is UPX packed, after unpacking, the following strings are evident:

(a) Strings that suggest that the virus attempts to decode obfuscated e-mail
addresses

.dot.
_dot_
(dot)
at
_at_
(at)
.at.

(b) Mail headers for outbound mail

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Content-Type: multipart/mixed;

        boundary="%s"

MIME-Version: 1.0

Date:

Subject: %s

To: %s

From: %s

(c) Strings that are apparently used to avoid certain e-mail addresses:

mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
feste
help
soft
site
rating
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
<P>

MyDoom leaves a log file behind. On our test system, the log file was
dropped into C:\Documents and Setting\Locals~1\Temp\zincite.log
Sample Anti-Virus Policy

http://isc.sans.org/papers/antivirus.pdf

Anti Virus Vendor Links:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127033

http://www.sophos.com/virusinfo/analyses/w32mydoomo.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html

http://www.f-secure.com/v-descs/mydoom_m.shtml

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39711

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=49861&sind=0

http://www.viruslist.com/eng/alert.html?id=1927068

http://www.grisoft.com/virbase/virbase.php?lng=us&type=web&action=view&qvirus=086fda5c5c9e7000
------------------------------------------

Johanns Ullrich, jullrich/AT/sans.org