HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2004-02
W32/Mydoom@MM Worm

Original issue date: January 29, 2004
Updated on: February 02, 2004

Severity: High

Systems Affected

  • Microsoft Windows 2003
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows NT 4.0
  • Microsoft Windows 9X
  • Microsoft Windows ME

Overview

W32/Mydoom@MM is a mass-mailing worm with aliases W32.Novarg.A@mm, Win32/Shimg, WORM_MIMAIL.R, W32/Mydoom.A.worm, Win32:Mydoom [Wrm], Worm/MyDoom.A2, I-Worm.Win32.Mydoom.22528, I-Worm.Novarg, W32/Mydoom.A@mm, Win32.HLLM.MyDoom.32768

  • It spreads over email and Kazaa P2P networks
  • When executed, the worm opens up Windows Notepad displaying garbage data
  • Overwrites the HOSTS file located at %WINDIR%\system32\drivers\etc\hosts.
  • Creates a explorer.exe file in the Windows system directory (%windir%\system on Windows 95/98/ME, %windir%\system32 on Windows NT/2000/XP ) . It is the main virus executable and is different from the original explorer.exe file located in %windir%.
  • Installs a backdoor on the compromised system in the Windows System folder with the
    name CTFMON.DLL listening to one of the following ports: 1080, 3128, 80, 8080, 10080.
  • Launches a DoS attack against two web sites at a fixed time in the future
  • It also tries to infect computers in the local network already infected by a former variant of the worm, by using the backdoor already installed on port 3127.

Impact

The Worm is clogging network traffic and opens ports on the infected system.

Description

This is a mass-mailing and a peer-to-peer file-sharing worm that arrives in an email message as follows:

From: (spoofed email sender)
Subject: (Varies, such as)

  • Error
  • Status
  • Server Report
  • Mail Transaction Failed
  • Mail Delivery System
  • hello
  • hi

Body:   (Varies, such as) 

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

  • examples (common names, but can be random)
  • doc.bat
  • document.zip
  • message.zip
  • readme.zip
  • text.pif
  • hello.cmd
  • body.scr
  • test.htm.pif
  • data.txt.exe
  • file.scr

example: The icon used by the file tries to make it appear as if the attachment is a text file:

The worm copies itself to the Kazaa Shared Directory with the following filenames:

  • nuke2004
  • office_crack
  • rootkitXP
  • strip-girl-2.0bdcom_patches
  • activation_crack
  • icq2004-final
  • winamp

The worm overwrites the local hosts file (WINDIR%\system32\drivers\etc\hosts) to prevent infected computers from accessing specific sites for any application that uses domain names, including most anti-virus update programs, electronic mail, HTTP, and FTP.

At least one version of this worm has been observed to write the following data to this file

127.0.0.1   localhost localhost.localdomain local lo
0.0.0.0  0.0.0.0 
0 .0.0.0   engine.awaps.net awaps.net www.awaps.netad.doubleclick.net
0 .0.0.0   spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
0 .0.0.0   media.fastclick.net fastclick.net,www.fastclick.net,ad.fastclick.net
0 .0.0.0   ads.fastclick.net banner.fastclick.net banners.fastclick.net
0 .0.0.0   www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
0 .0.0.0   ftp.f-secure.com securityresponse.symantec.com
0 .0.0.0   www.symantec.com symantec.com service1.symantec.com
0 .0.0.0   liveupdate.symantec.com update.symantec.com updates.symantec.com
0 .0.0.0   support.microsoft.com downloads.microsoft.com
0 .0.0.0   download.microsoft.com windowsupdate.microsoft.com
0 .0.0.0   office.microsoft.com msdn.microsoft.com go.microsoft.com
0 .0.0.0   nai.com www.nai.com vil.nai.com secure.nai.com
0 .0.0.0   networkassociates.com avp.ru www.avp.ru www.kaspersky.ru www.networkassociates.com
0 .0.0.0   www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
0 .0.0.0   avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
0 .0.0.0   download.mcafee.com mast.mcafee.com www.trendmicro.com
0 .0.0.0   www3.ca.com ca.com www.ca.com www.my-etrust.com
0 .0.0.0   my-etrust.com ar.atwola.com phx.corporate-ir.net
0 .0.0.0   www.microsoft.com

Reportedly, the entry for www.microsoft.com is removed on February 3, 2004 by W32/MyDoom.B.

Remote Access Component

The worm opens a connection on TCP port 3127 suggesting remote access capabilities. Mydoom.B also opens TCP port 10080.

Denial of Service Payload

On the first system startup on February 1st or later, the worm changes its behavior from mass mailing to initiating a denial of service attack against a particular website. This denial of service attack will stop on the first system startup of February 12th or later, and thereafter the worm's only behavior is to continue listening on TCP port 3127.

Workaround

  • Filter the following TCP ports 3127-3198, 1080, 80, 8080 and 10080 depending on network requirements, at the host and network level .
  • Mail Server administrators may also block e-mail messages based on subject, body message and attachment associated with Mydoom worm at the network gateway level
  • For an additional layer of protection, users are advised to deploy personal firewall on their system. This helps in stopping the spread of the worm to other systems by blocking its ability to use email.

Solution  

Removal Instructions:

1. Registry:

(a) Edit the registry and delete the following:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
"TaskMon" = %sysdir%\taskmon.exe  

HKEY_USERS\%SystemInfo%\Software\Microsoft\Windows\ CurrentVersion\Run
"TaskMon" = %sysdir%\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version  

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version  

(b)  Reboot the system

2. To remove the backdoor DLL file:

(a) Terminate the EXPLORER.EXE process.

(b) Switch to the command prompt and run the following command:
del %System%\shimgapi.dll

(c) Restart the EXPLORER.EXE process.

(d) Close command prompt.

3. To delete the overwritten hosts file and restore access to the sites blocked by the worm:

(a) Switch to the command prompt and run the following command:

del /F %systemroot%\system32\drivers\etc\hosts [enter]

echo # Temporary HOSTS file >%systemroot%\ system32\drivers\etc\hosts [enter]

attrib +R %systemroot%\system32\drivers\etc\hosts [enter]

(b) On Windows NT, reboot after typing these commands.

(c) On Windows 2000, Windows XP, and Windows 2003, do not reboot. Instead, type the following command:

            ipconfig /flushdns [enter]

4. Some automated removal tools are available at following sites:

1. Symantec
http://securityresponse.symantec.com/avcenter/ venc/data/w32.novarg.a@mm.removal.tool.html

2. F-secure
http://www.f-secure.com/tools/f-mydoom.zip

3. McAfee
http://vil.nai.com/vil/stinger/

Suggestions:

  • Always run and maintain an anti-virus software
  • Do not run programs of unknown origin

Further refer to CERT-In Security Guideline on Anti-Virus Policy & Best Practices.

http://www.cert.org.in/knowledgebase/guidelines/cisg-2003-05.pdf

References

Microsoft
http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/alerts/mydoom.asp

US-CERT
http://www.us-cert.gov/cas/techalerts/TA04-028A.html

Anti-Virus vendor sites

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003