Virus Profile: W32/Mydoom.ah@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 11/8/2004
Date Added: 11/8/2004
Origin: Unknown
Length: 21,508 bytes
Type: Virus
Subtype: E-mail
DAT Required: 4405
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

When run, the virus creates a file in the WINDOWS SYSTEM (%WinDir%\system32) directory with a random filename that ends in 32.exe.  A registry run key is created to load the virus at system startup, such as:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Reactor3" = C:\WINDOWS\System32\heztiv32.exe

Other registry keys are also created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\ComExplore\Version

The worm contains a list of IRC servers, which it attempts to connect to on TCP port 6667:

  • qis.md.us.dal.net
  • ced.dal.net
  • viking.dal.net
  • vancouver.dal.net
  • ozbytes.dal.net
  • broadway.ny.us.dal.net
  • coins.dal.net
  • lulea.se.eu.undernet.org
  • diemen.nl.eu.undernet.org
  • london.uk.eu.undernet.org
  • washington.dc.us.undernet.org
  • los-angeles.ca.us.undernet.org
  • brussels.be.eu.undernet.org
  • caen.fr.eu.undernet.org
  • flanders.be.eu.undernet.org
  • graz.at.eu.undernet.org

Methods of Infection

Like other Mydoom variants, this virus harvests email addresses from the local system, creates addresses by combining common names carried within the virus body with harvested domain names, and spams those addresses with email messages.  It also avoids addresses containing specific letters or words.  Unlike earlier variants, the infectious messages do not contain an attachment, but rather a hyperlink directing people to an infected machine.  Following the hyperlink results in an infection occurring on the target victim's system, if they are running a vulnerable Microsoft Internet Explorer web browser.

Through a buffer overflow, the virus downloads and executes the main virus component.  This component injects itself into the EXPLORER.EXE process and creates six threads to carry out various tasks.  Even if the main executable file is terminated and deleted, these threads in EXPLORER.EXE must be suspended/terminated in order for propagation to stop.  The specified DAT files contain repair to both terminate the running virus process as well as the spawned explorer.exe threads.

Aliases

Bofra, W32.Mydoom.AH@mm (Symantec), Win32/Mydoom.AH@mm (RAV)
   

Virus Characteristics

--- Update February 3, 2005--
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.

--- Update November 8, 2004--
Due to an increase in prevalence, the risk assessment of this threat was upgraded to Medium. 

If you think that you may be infected with W32/Mydoom.ah@MM , and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

--

This W32/Mydoom@MM variant makes use of a zero day attack targeting a Microsoft Internet Explorer IFRAME buffer overflow vulnerability .  It is very similar to W32/Mydoom.ag@MM .

The virus spreads by sending email messages to addresses found on the local system, as well as addresses constructed by the virus.  The message appears as follows:

From: Spoofed address (may be
exchange-robot@paypal.com when sending paypal message body below)

Subject: (case may vary)

  • hi!
  • hey!
  • Confirmation
  • blank

Body:

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this link .

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

or

Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam photos!

See you!

or

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

The mail header may contain one of the following fields:

  • X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
  • X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
  • X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

There is no attachment to the message.  The homepage or link hyperlink points to the infected system which sent the email message.  Clicking on the link, accesses a web server running on the compromised system.  The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus

Infected systems will show Windows Explorer listening on TCP Port 1639, the port the web server runs on. If port 1639 is already in use by another application, the virus will try the next available port (1640, 1641, etc).

When a user follows a hyperlink sent by the virus, they are connected with the infected computer (http:// IP address of infected host that sent the email message :1639/index.htm).  The webcam.htm page that is served results in a buffer overflow occuring in Internet Explorer.  Shell code then executes, which instructs the local machine to download a remote file (http:// IP address :1639/reactor) and save it to a local file %desktop%\vv.dat and then execute the downloaded file.

   
All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

McAfee Intrushield
 An IntruShield User-Defined Signature (UDS) has been created to detect this threat and is available for download at:
 
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected and requires your to log into Service Portal before accessing it.

McAfee Entercept
Entercept's buffer overflow protection protects against code execution that may result from exploitation of the IFRAME buffer overflow vulnerability.

VirusScan Enterprise 8.0i
 The VSE8.0i contains generic buffer overflow protection that is effective in preventing this threat from spreading.  Protection is enabled by default:

With this configuration, a message dialog box will appear upon detection: