MyDoom Worms
The
MyDoom.A Worm
The MyDoom.A (W32.Novarg.A@mm or W32/Mydoom@MM) worm, still
another new Windows-targeting worm, is infecting Windows systems
that are connected to the Internet. This worm arrives as an
attachment with a subject that indicates there has been an
error in the mail delivery system, making it look as if a
message sent by a user has "bounced." The attachment
has one of the following file extensions: .bat, .cmd, .exe,
.pif, .scr, or .zip. Opening the attachment causes systems
in which antivirus software is not properly updated to become
infected. Once active in an infected system, this worm creates
several files:
• "shimgapi.dll" in %systemroot%
• "Message" in %temp%
It also replaces the default taskmon.exe file in %systemroot%
with a Trojan version of "taskmon.exe" in the same
directory. Additionally, it modifies the infected system’s
Registry by inserting the following value:
TaskMon = %System%\taskmon.exe
in the following Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
It creates the following new Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
and then copies itself to KaZaA download directory as a file
with one of the following names:
• activation_crack
• icq2004-final
• nuke2004
• office_crack
• strip-girl-2.0bdcom_patches
• rootkitXP
• winamp5
adding a file extension of .bat, .pif, or .scr. MyDoom creates
a backdoor into the infected system by activating TCP
ports between 3127 and 3198. It can also launch a denial-of-service
attack against the SCO UNIX site.
The "moral of the story" is that you need to ensure
that your Windows system is running updated antivirus software,
and also that you do not open or forward any attachment that
you are not expecting. If MyDoom.A infects your system, you
should download and run a MyDoom eradication tool from the
Symantec
Web site.
Top
The MyDoom.B
Worm
The MyDoom.B (also known as the Novarg.B and W32.Mydoom.B@mm)
worm is yet another Windows-targeting mass-mailing worm. Arriving
as an attachment with a certain file extension (.bat, .cmd,
.exe, .pif, .scr, or .zip), it infects any system in which
the user opens the attachment and antivirus software is not
fully updated. When copied into a system, it immediately runs,
causing the following to occur:
- Creation of new files, including: (1) a new file within
the %TEMP% folder for the worm code itself, (2) %systemroot%\Ctfmon.dll
(a backdoor proxy server that not only allows this proxy
to serve as a proxy for connections, but also gives the
worm’s author and others the capability of downloading
and running files of their choice using TCP ports 80, 1080,
3128, 8080, and 10080, (3) %TEMP%\Message, a file with nothing
but random letters, and (4) %systemroot%\Explorer.exe, a
Trojan horse program that is so named to confuse users into
thinking that it is the Windows Explorer.
- Halting the taskmon.exe program, if it is running.
- Modification of the following Registry keys:
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
by inserting the value "Explorer" = "%System%\Explorer.exe"
in both. This makes the bogus version of Explorer.exe start
every time the infected system is booted.
- Modification of the following Registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87 00AA005127ED}\InProcServer32
by inserting the value: "(Default)" = "%System%\ctfmon.dll."
This makes the bogus Explorer.exe program load Cftmon.dll.
- Modification of entries in the local host file to thwart
users from being able to reach certain Web sites, including
all the sites of major antivirus software vendors such as
Symantec.
- Launching of a DoS attack against www.sco.com and www.microsoft.com,
based on a probabilistic algorithm, by sending a flood of
GET requests.
- A search for the email addresses in files that have extensions
of files that indicate they contain email address entries.
- Creation of its own Simple Mail Transfer Protocol (SMTP)
engine to send messages containing infected attachments
to addresses it has found in the infected machine’s
files. The email this worm generates generally has a falsified
(spoofed) sender address and one of the following subjects:
Delivery error, hello, hi, Mail Delivery System, Mail Transaction
Failed, Returned mail, Server Report, or Status. The message
content consists of one of the following:
—“Mail transaction failed. Partial message
is available,”
—“sendmail daemon reported: Error #804
occured during SMTP session. Partial message has been
received,”
—“The message cannot be represented in
7-bit ASCII encoding and has been sent as a binary attachment,”
—“The message contains MIME-encoded graphics
and has been sent as a binary attachment,” or
—“The message contains Unicode characters
and has been sent as a binary attachment.”
The attachment can have either one or two file extensions.
If it has one, the extension is .bat, .cmd, .exe. .pif,
.scr, or .zip. If it has two, the first extension is always
.doc, .htm or .txt and the second is the one of the previously
listed extensions. If the extension is .exe or .scr, a special
icon for the file is displayed.
- Making a copy itself in the Kazaa download folder (if
it exists) with a file extension of .bat, .exe, .pif or
.scr.
- Attempting to locate systems that have already been infected
by the MyDoom.A worm and infecting them with this version
(MyDoom.B).
Note that MyDoom.B worm is programmed to stop infecting systems
on March 1, 2004. Any backdoors it has planted will, however,
remain active indefinitely.
Because this worm makes so many changes in systems it infects,
clean-up requires many steps. For clean-up procedures, go
here.
Top
The
MyDoom.Y Worm
The MyDoom.Y worm is yet another mass-mailing Windows worm.
It arrives as a message with a subject of "album"
or "You've got a Virtual Postcard." The sender's
address is falsified, based on addresses this worm finds in
each system it infects. The message content is one of the
following:
"my pics... *sexy*. Heheh!;),"
"You have just received a new postcard from Flashecard.com!
From: %sender%"
"To pick up your postcard follow this Web address
http://www.flashecard.com.viewcard.main.ecard.php?2342
or click the attached link."
"We hope you enjoy your postcard, and if you do, please
take a moment to send a few yourself!"
"(Your message will be available for 30 days.)"
"Please visit our site for more information.
http:/ /www.flashecard.com"
The attachment is named "photos_album.zip," "photos_album.scr,"
"www.flashecard.com_postcard=viewcard_download.html.scr,"
or "www.flashecard.com_postcard=viewcard_download.html.zip."
When MyDoom.Y infects a system, it copies itself into the
system folder (%systemroot%) as syshosts.exe. It adds a value,
"MS Updates"="%System%\syshosts.exe,"
to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
in the victim system's Registry, enabling it to start every
time the system boots. It also creates a new key,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SYSHOSTS.
Next, MyDoom.Y creates a link to a specified Web site using
the Internet Explorer browser and then tries to kill processes
that contain certain words, such as "AV," Mc,"
"scn," and "task." This worm gleans email
addresses from the infected system's Outlook address book
and files with certain extensions. It creates a mail engine
that spews messages with infected attachments to these addresses.
MyDoom.Y does not damage systems per se, although this worm
makes changes that need to be reversed. If MyDoom.Y infects
your system, you should download and run a MyDoom eradication
tool from the Symantec
Web site.
Top
The
MyDoom.AF Worm
MyDoom.AF, a new addition to the growing MyDoom
family of worms, exploits a flaw in Microsoft's Internet Explorer
browser, and for the typical home and small-business user
unarmed with corporate-style perimeter defenses, it presents
a particular risk. Researchers warned that several new codes
exploiting the vulnerability may appear in the next few weeks
because the flaw is still unpatched.
The cautious Internet user should refrain from
opening suspicious email with the following subject lines:
- "funny photos :)"
- "hello"
- "hey!"
The MyDoom.AF worm is a mass-mailing worm that uses its own
SMTP engine to send itself to email addresses it finds on
infected computers; the worm also contains back-door functionality
that allows unauthorized remote access. Users who open an
infected email and click on links in the message body will
be directed to destinations from which an attack may be launched.
Microsoft issued a statement saying that it's aware of the
new variant and an investigation is under way. According to
early reports, the vulnerability doesn't exist on Windows
XP Service Pack 2 (SP2), so customers running the security
update are at a reduced risk of the threat, Microsoft said.
The software maker and security experts advised users to install
SP2 if they haven't already.
Also known as: Win32.Mydoom.AD [Computer
Associates], W32/Mydoom.ae@MM [McAfee], I-Worm.Mydoom.aa [Kaspersky]
Systems affected: Windows 2000, Windows
95, Windows 98, Windows Me, Windows NT, Windows Server 2003,
Windows XP
The email will have a variable subject and attachment name.
The attachment will have a .cpl, .pif, or .scr file extension.
How the Worm Turns
According to Symantec, when W32.Mydoom.AF@mm runs, it does
the following:
- Creates the mutex named "My-Game," so that
only one instance of the worm is running at any given time.
- Copies itself as %System%\avpr.exe. Note: %System% is
a variable that refers to the System folder. By default,
this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
(Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Creates the following files:
* %System%\TCP5424.dll (this file is responsible for the
backdoor component of the worm through TCP ports 5424, 5425,
and 5426).
* %System%\msg15.txt (a non-viral text file).
- Adds the value: "Avpr" = "%System%\avpr.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
- Modifies the value:
"(Default)"="%System%\TCP5424.dll"
in the registry key:
HKEY_CLASSES_ROOT\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
so that Explorer.exe loads TCP5424.dll.
- Deletes the following values:
* ICQ Net
* MsnMsgr
from the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Appends the following lines to the %System%\drivers\etc\hosts
file, which prevents access to certain security-related
Web sites:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
- Downloads a file from www.freewebs.com, saves it as c:\scran.exe,
and executes it. This file will be detected as W32.Narcs.
- Attempts to guess the name of an SMTP server by prepending
the following names to the domain names gathered from the
local computer:
* gate.
* mail.
* mail1.
* mail4.
* mx.
* mx1.
* mx2.
* mx3.
* mx4.
* mxs.
* ns.
* relay.
* smtp.
- Gathers email addresses from the Windows address book
and from files with the following extensions:
* .adbh
* .aspd
* .cfg
* .cgi
* .dbxn
* .eml
* .htmb
* .html
* .jsp
* .mbx
* .mdx
* .msg
* .phpq
* .sht
* .tbbg
* .txt
* .uin
* .vbs
* .wab
* .wsh
* .xls
* .xml
- Uses its own SMTP engine to send itself to the email addresses
that it finds. The email has the following characteristics:
From: (spoofed)
Subject: (One of the following)
* Announcement
* Details
* Document
* Fw:Document
* Fw:Important
* Fw:Information
* Fw:Notification
* Fw:Warning
* Important
* Information
* Notification
* Re:Details
* Re:Document
* Re:Important
* Re:Information
* Re:Notification
* Re:Warning
* Warning
* readnow!
Message: (One of the following)
* Check the attached document.
* Daily Report.
* Details are in the attached document.
* Important Information.
* Kill the writer of this document!
* Monthly news report.
* Please answer quickly!.
* Please confirm!.
* Please read the attached file!.
* Please see the attached file for details
* Please see the attached file for details.
* Reply
* See the attached file for details
* Waiting for a Response. Please read the attachment.
* here is the document.
* your document.
followed by:
* +++ Attachment: No Virus found
followed by one of the following:
* +++ Bitdefender AntiVirus - www.bitdefender.com
* +++ F-Secure AntiVirus - www.f-secure.com
* +++ Kaspersky AntiVirus - www.kaspersky.com
* +++ MC-Afee AntiVirus - www.mcafee.com
* +++ MessageLabs AntiVirus - www.messagelabs.com
* +++ Norman AntiVirus - www.norman.com
* +++ Norton AntiVirus - www.symantec.com
* +++ Panda AntiVirus - www.pandasoftware.com
Attachment: (One of the following)
* archive.doc
* attachment.doc
* check.doc
* data.doc
* document.doc
* error.doc
* file.doc
* information.doc
* letter.doc
* list.doc
* message.doc
* msg.doc
* news.doc
* note.doc
* notes.doc
* report.doc
* text.doc
How to Recover
Manual Removal
The following instructions pertain to all current and recent
Symantec antivirus products, including the Symantec AntiVirus
and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected
as W32.Mydoom.AF@mm.
5. Delete the values that the worm adds to the registry.
Preventing Infections
Update your system's antivirus software daily. Go here
for procedures on updating antivirus software. Refrain from
opening links on unfamiliar email or emails you are not expecting.
More Info
For more information on removal, see Symantec’s W32.Mydoom.AF@mm
web page.
Top
The
MyDoom.AG Worm
W32.Mydoom.AG@mm is a mass-mailing worm that
uses its own SMTP engine to send itself to the email addresses
that it finds on the infected computer and also propagates
through peer-to-peer networks.
The email will have a variable subject and attachment name.
The attachment will have a .bat, .cmd, .exe, .pif, .scr, or
.zip file extension.
Also known as: WORM_SWASH.A
[Trend Micro], I-Worm.Mydoom.ab [Kaspersky], Win32.Mydoom.AE
[Computer Associates], W32/Mydoom.af@MM [McAfee].
Systems affected: Windows 2000, Windows
95, Windows 98, Windows Me, Windows NT, Windows Server 2003,
Windows XP.
According to Symantec, when W32.Mydoom.AG@mm runs, it does
the following:
1. Creates the following files:
%System%\lsasrv.exe
%System%\version.ini
[path of execution]\hserv.sys
2. Adds the value:
"lsass" = "%System%\lsasrv.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3. Modifies the value:
"Shell" = "explorer.exe %System%\lsasrv.exe"
in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
so the worm is executed when Windows starts.
4. Gathers email addresses from the Windows address book
and from files with the following extensions:
* .wab
* .pl
* .adb
* .tbb
* .dbx
* .asp
* .php
* .sht
* .htm
* .txt
5. Uses its own SMTP engine to send itself to the email
addresses that it finds. The email has the following characteristics:
From: (one of the following names)
* Joseph
* Ronald
* Hannah
* Kimberly
* Maria
* George
* Charles
* Len
* Cissi
* Sandra
* Jennifer
* Hans
* Richard
* Lee
* Emily
* Helen
* Elizabeth
* Donald
* David
* Harris
* Nicholas
* Betty
* Barbara
* Mark
* William
* Martin
* Ethan
* Karen
* Linda
* Paul
* Michael
* Edward
* Cynthia
* Nancy
* Patricia
* Daniel
* Robert
* Olivia
* Angela
* Dorothy
* Kevin
* Christopher
* John
* Josefine
* Melissa
* Susan
* Anthony
* Thomas
* James
With one of the following domains:
* compuserve.com
* juno.com
* earthlink.net
* yahoo.co.uk
* hotmail.com
* yahoo.com
* msn.com
* aol.com
Subject: (one of the following)
* Attention!!!
* Do not reply to this email
* Error
* Good day
* hello
* Mail Delivery System
* Mail Transaction Failed
* Server Report
* Status
Attachment name:(one of the following)
* body
* message
* docs
* data
* file
* rules
* doc
* readme
* document
With one of the following extensions:
* .bat
* .cmd
* .exe
* .pif
* .scr
* .zip
Message body: (one of the following)
* The message contains Unicode characters and
has been sent as a binary attachment.
* The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.
* Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in
the attachment file.
It's a real good choise to go to WORLDXXXPASS.COM
* Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash"
spreading very fast via email and P2P networks. It's about
two million people infected and it will be more.
To avoid your infection by this virus and to stop it we
provide you with full information how to protect yourself
against it and also including free remover. Your can find
it in the attachment.
c 2004 Networks Associates Technology, Inc. All Rights Reserved
* New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders
using a credit cards for making purchase in the Internet
in the attachment. Please, read it carefully. If you are
not agree with new terms and conditions do not use your
credit card in the World Wide Web.
Thank you,
The World Bank Group
c 2004 The World Bank Group, All Rights Reserved
* Attention! Your IP was logged by The Internet Fraud Complaint
Center
Your IP was logged by The Internet Fraud Complaint Center.
There was a fraud attempt logged by The Internet Fraud Complaint
Center from your IP. This is a serious crime, so all records
was sent to the FBI. All information you can find in the
attachment. Your IP was flagged and if there will be anover
attemption you will be busted.
This message is brought to you by the Federal Bureau of
Investigation and the National White Collar Crime Center
6. Copies itself into the shared folders of Kazaa, Morpheus,
iMesh, eDonkey, or LimeWire under one of the following names.
The file has either a bat, pif, scr, or exe extension:
* porno
* NeroBROM6.3.1.27
* avpprokey
* Ad-awareref01R349
* winxp_patch
* adultpasswds
* dcom_patches
* K-LiteCodecPack2.34a
* activation_crack
* icq2004-final
* winamp5
7. Attempts to disable the following processes, which
include processes associated with firewall and antivirus
applications:
* i11r54n4.exe
* irun4.exe
* d3dupdate.exe
* rate.exe
* ssate.exe
* winsys.exe
* winupd.exe
* SysMonXP.exe
* bbeagle.exe
* Penis32.exe
* teekids.exe
* MSBLAST.exe
* mscvb32.exe
* sysinfo.exe
* PandaAVEngine.exe
* taskmon.exe
* wincfg32.exe
* outpost.exe
* zonealarm.exe
* navapw32.exe
* navw32.exe
* zapro.exe
* msblast.exe
* netstat.exe
8. Downloads a file from the wmspb.net domain. At the
time of this writing, the file is 8 bytes in size.
9. Appends the following lines to the file %System%\drivers\etc\hosts
to prevent access to antivirus-related domains.
* 127.0.0.1 www.symantec.com
* 127.0.0.1 securityresponse.symantec.com
* 127.0.0.1 symantec.com
* 127.0.0.1 www.sophos.com
* 127.0.0.1 sophos.com
* 127.0.0.1 www.mcafee.com
* 127.0.0.1 mcafee.com
* 127.0.0.1 liveupdate.symantecliveupdate.com
* 127.0.0.1 www.viruslist.com
* 127.0.0.1 viruslist.com
* 127.0.0.1 www.f-secure.com
* 127.0.0.1 f-secure.com
* 127.0.0.1 kaspersky.com
* 127.0.0.1 kaspersky-labs.com
* 127.0.0.1 www.avp.com
* 127.0.0.1 avp.com
* 127.0.0.1 www.kaspersky.com
* 127.0.0.1 www.networkassociates.com
* 127.0.0.1 networkassociates.com
* 127.0.0.1 www.ca.com
* 127.0.0.1 ca.com
* 127.0.0.1 mast.mcafee.com
* 127.0.0.1 www.my-etrust.com
* 127.0.0.1 my-etrust.com
* 127.0.0.1 download.mcafee.com
* 127.0.0.1 dispatch.mcafee.com
* 127.0.0.1 secure.nai.com
* 127.0.0.1 www.nai.com
* 127.0.0.1 nai.com
* 127.0.0.1 update.symantec.com
* 127.0.0.1 updates.symantec.com
* 127.0.0.1 us.mcafee.com
* 127.0.0.1 liveupdate.symantec.com
* 127.0.0.1 customer.symantec.com
* 127.0.0.1 rads.mcafee.com
* 127.0.0.1 www.trendmicro.com
* 127.0.0.1 trendmicro.com
* 127.0.0.1 www.grisoft.com
* 127.0.0.1 grisoft.com
How to Recover
Manual Removal
The following instructions pertain to all current and recent
Symantec antivirus products, including the Symantec AntiVirus
and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected
as W32.Mydoom.AG@mm.
5. Delete the values that the worm adds to the registry.
For specific details on each of these steps, read the instructions
on Symantec's web site.
Preventing Infections
Update your system's antivirus software daily. Go here
for procedures on updating antivirus software. Refrain from
opening links on unfamiliar email or emails you are not expecting.
Top
The
MyDoom.AH Worm
The MyDoom.AH worm, also called Bofra.D, is
another mass-mailing worm that exploits the Microsoft Internet
Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability
(as described in Microsoft Security Bulletin MS04-040).
The worm also spreads by sending an email to addresses that
it finds on the infected computer.
Also known as: W32.Bofra.D@mm, W32.Mydoom.AH@mm,
Win32.Bofra.E [Computer Associates], Bofra.B [F-Secure], I-Worm.Mydoom.ad
[Kaspersky], W32/Mydoom.ah@MM [McAfee], W32/Bofra.B@mm [Norman],
W32/Bofra-B [Sophos], WORM_BOFRA.B [Trend Micro].
Systems affected: Windows 2000, Windows
95, Windows 98, Windows Me, Windows NT, Windows Server 2003,
Windows XP.
When W32.Bofra.D@mm is executed, it performs the following
actions:
- Creates the file %System%\[random name]32.exe.
Note: %System% is a variable that refers to the System folder.
By default this is C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32
(Windows XP).
- Adds the value:
"Reactor5" = "%System%\[random name]32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm is executed every time Windows starts.
- May create the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version
- Deletes the following values:
* center
* reactor
* Rhino
* Reactor3
* Reactor4
from the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Attempts to inject its code as a thread into any processes
with the window class name "Shell_TrayWnd," or
any process running in the foreground.
If successful, the worm will continue to run within the
infected process. All the actions described in the next
step will appear to be done by the infected process, and
the worm will not be visible when the user views the process
list in the Windows Task Manager.
If unsuccessful, the worm will continue to run as its own
process.
- Gathers email addresses from the Windows address book
and from files with the following extensions:
* .txt
* .htmb
* .shtl
* .phpq
* .aspd
* .dbxn
* .tbbg
* .adbh
* .pl
* .wab
- Uses its own SMTP engine to send itself to the email
addresses that it finds. The email has the following characteristics:
From: (spoofed)
Subject: (One of the following)
* Hi!
* hey!
* <blank>
* Confirmation
Message text:
Header:(One of the following)
* X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http:/
/amavis.org/)
* X-AntiVirus: Checked by Dr.Web (http:/ /www.drweb.net)
* X-AntiVirus: Checked for viruses by Gordano's AntiVirus
Software
Body (One of the following):
* Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam
photos!
See you!
* Hi! I am looking for new friends. I am from Miami, FL.
You can
see my homepage with my last webcam photos!
* Congratulations! PayPal has successfully charged $175
to your credit
card. Your order tracking number is A866DEC0, and your
item will be
shipped within three business days.
To see details please click this link
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is
being sent by
an automated message system and the reply will not be
received.
Thank you for using PayPal.</i></p>
The email contains one of the following URLs, which exploit
the Microsoft Internet Explorer Malformed IFRAME Remote
Buffer Overflow Vulnerability (as described in Microsoft
Security Bulletin MS04-040):
* http://[remote address]:1639/index.htm
* http://[remote address]:1640/index.htm
Note: [remote address] in the above links is the IP address
of the computer that sent the email.
The exploit allows a copy of the worm to be downloaded onto
the infected computer as %System%\[random name].exe.
Another copy of the worm is downloaded onto the Desktop
folder as vv.dat, and is executed either as a single process
or an injected thread into explorer.exe.
- The worm avoids sending email to addresses that meet
the following criteria:
Contain any of the following strings in the recipient domain:
* acketst
* arin.
* berkeley
* bsd
* fido
* fsf.
* gnu
* google
* iana
* ibm.com
* ietf
* isc.o
* isi.e
* kernel
* linux
* math
* mit.e
* mozilla
* pgp
* rfc-ed
* ripe.
* secur
* sendmail
* tanford.e
* unix
* usenet
* utgers.ed
Addresses whose names begin with one of the following:
* abuse
* anyone
* bugs
* ca
* contact
* feste
* gold-certs
* help
* info
* me
* no
* nobody
* noone
* not
* nothing
* page
* postmaster
* privacy
* rating
* root
* samples
* secur
* service
* site
* soft
* somebody
* someone
* spm
* submit
* the.bat
* webmaster
* www
* you
* your
Addresses which contain any of the following strings:
* accoun
* admin
* bsd
* certific
* google
* icrosoft
* linux
* listserv
* ntivi
* spam
* support
* unix
- Opens a Web server on TCP port 1639 and listens for commands.
- Attempts to connect to the following IRC servers on TCP
port 6667:
* broadway.ny.us.dal.net
* brussels.be.eu.undernet.org
* caen.fr.eu.undernet.org
* ced.dal.net
* coins.dal.net
* diemen.nl.eu.undernet.org
* flanders.be.eu.undernet.org
* graz.at.eu.undernet.org
* london.uk.eu.undernet.org
* los-angeles.ca.us.undernet.org
* lulea.se.eu.undernet.org
* ozbytes.dal.net
* qis.md.us.dal.net
* vancouver.dal.net
* viking.dal.net
* washington.dc.us.undernet.org
- If the current date is December 16th, 2004, or later,
the worm exits.
How to Recover
Removal Using the Removal Tool
Symantec Security Response has developed a removal
tool to clean the infections of W32.Bofra.D@mm. This is
the preferred method in most cases.
Manual Removal
The following instructions pertain to all current and recent
Symantec antivirus products, including the Symantec AntiVirus
and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected
as W32.Bofra.D@mm.
5. Delete the value that was added to the registry.
Preventing Infections
Update your system's antivirus software daily. Go here
for procedures on updating antivirus software. Refrain from
opening links on unfamiliar email or emails you are not expecting.
More Info
For more information on removal, see Symantec’s W32.bofra.d@mm
web page.
Top
|