stop the threat. avoid the doom. secure the network.

vectorblog  about  contact

MSN Search

 

 

 

 

 

 

 


 

MyDoom

infectionvectors.com

Updated February 2005

 

Infection Vectors:          Mass Mail (attachment & link to infected server), 

                                     file shares (P2P)

 

Impact:                         High (backdoor component, traffic generation)

 

Description:

Since January of 2004, the MyDoom (aka Novarg) mass mailer has been plaguing organizations around the world. Originally just an explosive mass mailer, the authors have since added expanded backdoor capabilities, a peer-to-peer system for updating the worm, and Trojan-dropping functionality.

 

MyDoom spreads primarily as an attachment to an email (early versions also spread via shared directories) and waits for an end user to open it. At that time it establishes the backdoor proxy, sets itself to automatically start up, and scans the disk for email addresses. Once a set of addresses is obtained, the worm sends itself to each address, via its own SMTP engine.

 

In July of 2004 a new version of MyDoom (known as M, N, and O) also used search engines to generate a list of additional email addresses. Furthermore, this new set of variants also created a peer-to-peer network by sending the addresses of previously compromised machines from one copy of the worm to another. The author used this to not only connect the web of Trojans (known as Zincite originally) dropped by MyDoom, but also upload additional code to infected machines (another Trojan known as Zindos).

 

Each variant opened a listening port, which receives commands and relays traffic from the author.

 

Mitigation:

Blocking email attachments is the most effective means of preventing the virus from entering the network. The file types to block:

 

ZIP

EXE

COM

PIF

BAT

CMD

SCR

 

Block access to inbound high ports used by the worm (3127-3198, 1042) for backdoor access.

Prevent clients from sending email directly to Internet (i.e.: only allow authorized mail servers access to TCP 25 outbound).

 

Update: November 2004

 

The latest variants are mass-mailed to targets harvested from the infected box, just as in other versions. However, the email contains only an innocuous message and link. The link points back to the infected machine that sent the email, and now waits with an exploit for the (currently unpatchable) IE IFRAME vulnerability which allows the worm to auto-execute on the victim machine. 

 

The exploit (based on the vulnerability discussed in BID 11515 here) affects IE 6 (Windows XP SP2 is not vulnerable), allows a malicious coder to insert an overly long string into the <IFRAME>, <EMBED>, and <FRAME> tag attribute "SRC" and "NAME," overrun the unchecked buffer, and force the local machine to run code of the author's choosing. 

 

This P2P-style propagation is reminiscent of Blaster, except it uses HTTP transmissions instead of TFTP (opening TCP 1649 if available, and incrementing by 1 until it finds an unused port if not). This worm is also going by the name Bofra at sites like Sophos'. 

 

Mitigation includes disabling Active Scripting (which is supported by other infectionvectors.com documents) and user education (don't click a link, especially a fishy looking one with an IP address). Some strategies for dealing with this threat until a patch is released are available at US CERT's site.

 

Update: February 2005

 

The latest MyDoom variant got a jumpstart from wide seeding on 16 February 2005, giving it heightened threat status with most major AV companies. The worm is much like the July 2004 version that harvested new email addresses by querying search engines. The main difference between the two variants appears to be that the new version is packed with MEW (a packer developed by Northfox) instead of UPX.

 

00500104 4D 45 57 00 >ASCII "MEW"

 

MyDoom.AX (Symantec, also known as BB by Trend and F-Secure, AO by Panda) reaches out to Altavista, Google, Lycos, and Yahoo to find additional email addresses by submitting domain names (harvested from the victim machine) as search strings. In addition, it lifts target addresses from the local hard disk. Like the previous version, this iteration of the worm opens TCP 1034, allowing an attacker to access the compromised device and copy additional code to it.

 

AX drops a copy of Zincite and attempts to download Nemog from the Internet (by issuing a GET for http://www.aoprojecteden.org/site/modules/articles/modulelogo.png, this server was used by previous versions of the worm as well). That routine is seen in the following:

 

0012FCE0 00505674 tVP. text_htm.00505674
0012FCE4 00503273 s2P. text_htm.00503273
0012FCE8 0050C6C0 ÀÆP. ASCII "http://www.aoprojecteden.org/site/modules/articles/modulelogo.png"
0012FCEC 0050C6F3 óÆP. ASCII "modulelogo.png"
0012FCF0 0012FFA0  ÿ.
0012FCF4 005032BF ¿2P. text_htm.005032BF

 

The worm crafts the email by selecting from short lists of variables and inserting the target address' domain into a prewritten template.

 

Dear user {$t|of $T},

 

To view the strings output for MyDoom.AX/M, see this text file. It will provide a high-level view of how the worm works to anyone seeking a quick peek under the covers of this successful mass mailer, including the full text of the email sent to each target address. Additional variants released through February 22, 2005 carried similar routines to this version.

 

Thanks to Paula Hollingsworth for initial sample submission.

Copyright Ó 2004-2005 infectionvectors.com. All rights reserved.