<CERT-In:Indian Computer Emergency Response Team
HOME > INCIDENT NOTES


   INCIDENT NOTES

CERT-In Incident Note CIIN-2004-02

W32/Mydoom@MM

Original Issue Date: January 27, 2004
Revised date: January 28, 2004

Severity : High

Type : Worm

Aliases:   W32.Novarg.A@mm, Win32/Shimg, WORM_MIMAIL.R, W32/Mydoom.A.worm, Win32:Mydoom [Wrm], Worm/MyDoom.A2, I-Worm.Win32.Mydoom.22528, I-Worm.Novarg, W32/Mydoom.A@mm, Win32.HLLM.MyDoom.32768

Affected System Software:

  • Microsoft Windows 2003
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows NT 4.0
  • Microsoft Windows 9X
  • Microsoft Windows ME

Overview

W32/Mydoom@MM is a mass-mailing worm

  • It spreads over email and Kazaa P2P networks
  • When executed, the worm opens up Windows Notepad displaying garbage data.
  • Installs a backdoor on the compromised system and
  • Launches a DoS attack against a web site at a fixed time in the future

Impact

The Worm is clogging network traffic and opens ports on the infected system .

Description

This is a mass-mailing and a peer-to-peer file-sharing worm that arrives in an email message as follows:

From: (spoofed email sender)
Subject: (Varies, such as)

  • Error
  • Status
  • Server Report
  • Mail Transaction Failed
  • Mail Delivery System
  • hello
  • hi

Body:   (Varies, such as) 

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

  • examples (common names, but can be random)
  • doc.bat
  • document.zip
  • message.zip
  • readme.zip
  • text.pif
  • hello.cmd
  • body.scr
  • test.htm.pif
  • data.txt.exe
  • file.scr

example: The icon used by the file tries to make it appear as if the attachment is a text file:

The worm copies itself to the Kazaa Shared Directory with the following filenames:

  • nuke2004
  • office_crack
  • rootkitXP
  • strip-girl-2.0bdcom_patches
  • activation_crack
  • icq2004-final
  • winamp

Remote Access Component

The worm opens a connection on TCP port 3127 suggesting remote access capabilities.

Denial of Service Payload

On the first system startup on February 1st or later, the worm changes its behavior from mass mailing to initiating a denial of service attack against a particular website. This denial of service attack will stop on the first system startup of February 12th or later, and thereafter the worm's only behavior is to continue listening on TCP port 3127.

Symptoms

  • Listens on TCP ports in the range 3127-3198.
  • Presence of the file shimgapi.dll in the WINDOWS SYSTEM directory.

Workaround

  • Block the TCP ports in the range 3127-3198 at the perimeter level.
  • For an additional layer of protection, users are advised to deploy personal firewall on their system. This helps in stopping the spread of the worm to other systems by blocking its ability to use email.

Solution

Removal Instructions:

1. Registry:

(a) Edit the registry and delete the following:

HKEY_CURRENT_USER\Software\Microsoft\ Windows\ CurrentVersion\Run
"TaskMon" = %sysdir%\taskmon.exe  

HKEY_USERS\%SystemInfo%\Software\Microsoft\ Windows\ CurrentVersion\Run
"TaskMon" = %sysdir%\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\
Explorer\ComDlg32\Version  

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version  

(b)  Reboot the system

2. To remove the backdoor DLL file :

  1. Terminate the EXPLORER.EXE process.
  2. Switch to the command prompt and run the following command:
        del %System%\shimgapi.dll
  3. Restart the EXPLORER.EXE process.
  4. Close command prompt.

3. Some automated removal tools are available at following sites:

1. Symantec

A free tool to remove this worm can be found at:
http://securityresponse.symantec.com/avcenter/ venc/data/w32.novarg.a@mm.removal.tool.html

2. F-secure

http://www.f-secure.com/tools/f-mydoom.zip

Suggestions:

  • Always run and maintain an anti-virus software
  • Do not run programs of unknown origin

Further refer to CERT-In Security Guideline on Anti-Virus Policy & Best Practices.

References

Antivirus Vendors

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003