Virus Profile: W32/Mydoom.bv@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/16/2005
Date Added: 8/16/2005
Origin: Unknown
Length: 79,936 bytes (UPXed)
Type: Virus
Subtype: Internet Worm
DAT Required: 4559
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existence of the files and registry entry listed below
  • Modification of the Windows firewall settings, via setting the following Registry keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
      \SharedAccess\Parameters\FirewallPolicy\DomainProfile
      \AuthorizedApplications\List "%executed_file%"
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
      \SharedAccess\Parameters\FirewallPolicy\StandardProfile
      \AuthorizedApplications\List "%executed_file%"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
      \SharedAccess\Parameters\FirewallPolicy\DomainProfile
      \AuthorizedApplications\List "%executed_file%"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
      \SharedAccess\Parameters\FirewallPolicy\StandardProfile
      \AuthorizedApplications\List "%executed_file%"

    Each is set to the following value:

    • %executed_file%::*:Enabled:%executed_filename%

    where %executed_file% is the full path to the executed copy of the worm, and %executed_filename% is the filename.

  • Addition of the value:
    • "EnableFirewall" = "0"

    To the following keys:

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
      \SharedAccess\Parameters\FirewallPolicy
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
      \SharedAccess\Parameters\FirewallPolicy\DomainProfile
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
      \SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
      \SharedAccess\Parameters\FirewallPolicy
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
      \SharedAccess\Parameters\FirewallPolicy\DomainProfile
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
      \SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • Addition of the value:

    • "DisableRegistryTools" = "0"

    To the following keys:

    • HKEY_CURRENT_USER\Software\Microsoft
      \Windows\CurrentVersion\Policies
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
      \Windows\CurrentVersion\policies
  • Unexpected termination of one of the following processes:
    • Lien Van de Kelderrr.exe
    • winshost.exe
    • msnmsgr.exe
    • wfdmgr.exe
    • OUTPOST.EXE
    • IAOIN.EXE
    • RB.EXE
    • b055262c.dll
    • backdoor.rbot.gen.exe
    • backdoor.rbot.gen_(17).exe
    • msssss.exe
    • rasmngr.exe
    • dailin.exe
    • wowpos32.exe
    • wuamgrd.exe
    • taskmanagr.exe
    • wuamga.exe
    • ATUPDATER.EXE
    • AVWUPD32.EXE
    • AVPUPD.EXE
    • LUALL.EXE
    • DRWEBUPW.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • UPDATE.EXE
    • NUPGRADE.EXE
    • ATUPDATER.EXE
    • AUPDATE.EXE
    • AUTODOWN.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVXQUAR.EXE
    • CFIAUDIT.EXE
    • MCUPDATE.EXE
    • NUPGRADE.EXE
    • Systra.exe
    • RAVMOND.exe
    • GfxAcc.exe
    • VisualGuard.exe
    • WIN-BUGSFIX.EXE
    • WIN32.EXE
    • WIN32US.EXE
    • WINACTIVE.EXE
    • WINDOW.EXE
    • WINDOWS.EXE
    • WININETD.EXE
    • WININIT.EXE
    • WININITX.EXE
    • WINLOGIN.EXE
    • WINMAIN.EXE
    • WINPPR32.EXE
    • WINRECON.EXE
    • WINSSK32.EXE
    • WINSTART.EXE
    • WINSTART001.EXE
    • WINTSK32.EXE
    • WINUPDATE.EXE
    • WKUFIND.EXE
    • WNAD.EXE
    • WNT.EXE
    • WRADMIN.EXE
    • WRCTRL.EXE
    • WUPDATER.EXE
    • WUPDT.EXE
    • WYVERNWORKSFIREWALL.EXE
    • XPF202EN.EXE
    • ZAPRO.EXE
    • ZAPSETUP3001.EXE
    • ZATUTOR.EXE
    • ZONALM2601.EXE
    • ZONEALARM.EXE
    • _AVP32.EXE
    • _AVPCC.EXE
    • _AVPM.EXE
    • HIJACKTHIS.EXE
    • F-AGOBOT.EXE
  • Disabling of access to various remote sites, via addition of the following to the local HOSTS file:
    • 127.0.0.1  avp.com
    • 127.0.0.1  ca.com
    • 127.0.0.1  customer.symantec.com
    • 127.0.0.1  dispatch.mcafee.com
    • 127.0.0.1  download.mcafee.com
    • 127.0.0.1  downloads-eu1.kaspersky-labs.com
    • 127.0.0.1  downloads-us1.kaspersky-labs.com
    • 127.0.0.1  downloads1.kaspersky-labs.com
    • 127.0.0.1  downloads2.kaspersky-labs.com
    • 127.0.0.1  downloads3.kaspersky-labs.com
    • 127.0.0.1  downloads4.kaspersky-labs.com
    • 127.0.0.1  f-secure.com
    • 127.0.0.1  kaspersky-labs.com
    • 127.0.0.1  kaspersky.com
    • 127.0.0.1  liveupdate.symantec.com
    • 127.0.0.1  liveupdate.symantecliveupdate.com
    • 127.0.0.1  mast.mcafee.com
    • 127.0.0.1  mcafee.com
    • 127.0.0.1  microsoft.com
    • 127.0.0.1  my-etrust.com
    • 127.0.0.1  nai.com
    • 127.0.0.1  networkassociates.com
    • 127.0.0.1  oxyd.fr
    • 127.0.0.1  pandasoftware.com
    • 127.0.0.1  rads.mcafee.com
    • 127.0.0.1  secure.nai.com
    • 127.0.0.1  securityresponse.symantec.com
    • 127.0.0.1  sophos.com
    • 127.0.0.1  symantec.com
    • 127.0.0.1  t35.com
    • 127.0.0.1  t35.net
    • 127.0.0.1  trendmicro.com
    • 127.0.0.1  update.symantec.com
    • 127.0.0.1  updates.symantec.com
    • 127.0.0.1  us.mcafee.com
    • 127.0.0.1  viruslist.com
    • 127.0.0.1  virustotal.com
    • 127.0.0.1  www.avp.com
    • 127.0.0.1  www.ca.com
    • 127.0.0.1  www.f-secure.com
    • 127.0.0.1  www.grisoft.com
    • 127.0.0.1  www.kaspersky.com
    • 127.0.0.1  www.mcafee.com
    • 127.0.0.1  www.microsoft.com
    • 127.0.0.1  www.my-etrust.com
    • 127.0.0.1  www.nai.com
    • 127.0.0.1  www.networkassociates.com
    • 127.0.0.1  www.oxyd.fr
    • 127.0.0.1  www.pandasoftware.com
    • 127.0.0.1  www.sophos.com
    • 127.0.0.1  www.symantec.com
    • 127.0.0.1  www.t35.com
    • 127.0.0.1  www.t35.net
    • 127.0.0.1  www.trendmicro.com
    • 127.0.0.1  www.viruslist.com
    • 127.0.0.1  www.virustotal.com

Methods of Infection

Installation

Upon execution, the worm copies itself several times to the victim machine. The following two copies are always made:

  • %WinDir%\msdefr.exe
  • %WinDir%\nb32ext2.exe

Additional copies may also be made with one of the following filenames:

  • %WinDir%\services.exe
  • %WinDir%\winlogon.exe
  • %WinDir%\csrss.exe
  • %WinDir%\smss.exe

System startup is hooked via addition of the following Registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \RunServices "helloworld" = nb32ext2.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Run "RPCserv32g" = %WinDir%\services.exe

Additionally, the following key is modified to run the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    \Winlogon "Userinit"

From:

  • %SysDir%\userinit.exe,

To:

  • %SysDir%\userinit.exe,%WinDir%\services.exe,

(where %SysDir% is the Windows system directory, for example: c:\windows\system32)

MS05-039 Propagation

The worm generates random IP addresses in order to find remote machines to infect.

Mail Propagation

Target email addresses are harvested from files on the victim machine - files with the following extensions are searched:

  • asp
  • cgi
  • dbx
  • dht
  • eml
  • htm
  • html
  • jsp
  • mbx
  • mht
  • msg
  • php
  • sht
  • stm
  • tbb
  • uin
  • wab

The worm may also retrieve addresses from the Windows address book, temporary internet folders and files within the user documents.

Outgoing messages are constructed using the worms own SMTP engine. Variable subject lines, message bodies and attachment filenames may be used. The attachment filename may contain two file extensions, with multiple spaces in between them.

Aliases

Backdoor.Win32.Surila.x (AVP), W32.Bobax.AF@mm (Symantec), W32/MyDoom-Gen (Sophos), Win32/MyDoom.79936!Worm (CA), WORM_BOBAX.AD (Trend)
   

Virus Characteristics

This is a mass-mailing worm that bears the following characteristics:
  • contains its own SMTP engine to construct outgoing messages, harvesting email addresses from the victim machine
  • propagates via the Windows Plug and Play vulnerability (MS05-039)
  • contains a backdoor component (TCP 80, or random TCP port)
  • terminates various processes (security/AV software)
  • lowers security settings on victim machine

This worm contains similar MS05-039 exploit code that is present in recent W32/Zotob.worm and W32/Sdbot.worm variants.

The exploit propagation code works in the same fashion, by instructing remote systems to FTP the virus from the infected host to download and execute it locally.

VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95