Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mydoom.BI

Introduction  

Win32/Mydoom.BI is a typical mass-mailing e-mail worm, the size is 32804 bytes, the worm is written in Microsoft Visual C++ and runtime compressed by Upack. This threat contains a backdoor component and allows a attacker to control a compromised system.

 

Installation and Autostart Techniques

Upon execution the worm copies itself into the %System% folder as "M0USE.exe".

Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The worm adds the following registry keys to the registry to make sure that he runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Userinterface Report3r" = "M0USE.exe"  

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"Userinterface Report3r" = "M0USE.exe"
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"Userinterface Report3r" = "M0USE.exe"
 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = "Explorer.exe M0USE.exe"  

Note: The worm watches continuously for the presence of these registry keys and recreates them if they are not present anymore.  

Mydoom.BI modifies also the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = "4"

 In order to lower security settings on the compromised system.  

Note: This will disable the integrated Windows Firewall, so no outgoing connection will be recognised by the Windows System Firewall. By default this value is "Start" = "3".

 

DNS resolving

The worm performs DNS e-mail-exchange-queries to find an appropriate mail server for each domain it tries to send itself to. If this DNS request for the mailserver fails, the worm tries to guess the E-mail server adding in front of the domain name the following prefixes:

gate.
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.  

 

E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl, *.txt, *.xml, *.cgi, *.jsp

Note: However, these extensions are pretty much useless, because the worm has a bug regarding stringcat and compare with the WIN32_FIND_DATA results.

That said: The worm will always open and scan a file for e-mail addresses when at least one character matches one of the characters in the file extension list in the correct order.

In technical terms, that means the worm compares the file extension via 'instring function/substring function'.

Example: The worm will search for e-mail addresses in files where the file extension matches *.htm, *.ht, *.h for instance.

 

Windows Address Book harvesting

The worm locates the Windows Address Book via Registry Access:

Software\Microsoft\WAB\WAB4\Wab File Name

 it enumerates there all entrys and tries to send a copy to all stored E-mail addresses.

Note: This access is encrypted stored in the worm binary.

 

E-mail Sender

The sender email addresses are spoofed and may appear to be sent by a familiar source.

The worm might also generate the sender's e-mail addresses using the following list of names:

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, britney, bush, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom

This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other email addresses.

The worm will not send emails to email addresses which containing one of the following strings:

root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page

and/or the following strings in the destination domain name:

avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo., berkeley, unix, math, bsd, mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp, tanford.e, utgers.ed, mozilla

 

E-mail subjects

Mydoom.BI selects randomly an E-mail subject out of the following list:

Notice of account limitation
Email Account Suspension
Security measures
Members Support
Important Notification
Warning Message: Your services near to be closed.
Your Account is Suspended For Security Reasons
*DETECTED* Online User Violation
Your Account is Suspended
Your new account password is approved
You have successfully updated your password
Your password has been successfully updated
Your password has been updated  

Note: The E-mail subjects are ROT-13 encrypted stored in the worm.

The ROT13-algorithm is based on a rotation of all alphabetic characters by 13.

That said: the ASCII-values of the letters are incremented or decremented by 13 .

 

Message Body

The E-mail Message Body contains no text (blank)

E-mail Attachments

The worm attaches one of the following file names with a self-copy:

document
account-report
readme
account-info
email-details
account-details
important-details
accepted-password
account-password
approved-password
password
new-password
email-password
updated-password

with one of the following file extensions:

exe
scr
pif
zip

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

htm
txt
doc

The second extension is chosen from the following list and is separated from the first extension by a huge amount of spaces to hide the executable file extension:

pif
scr
exe

Example: attachment "document.zip" may contain the file "document.txt { spaces }.scr"

 


Hostfile Manipulation

It overwrites the present host's file with the following data to avoid accessing these sites:

127.0.0.1 ebay.com
127.0.0.1 www.ebay.com
127.0.0.1 www.moneybookers.com
127.0.0.1 moneybookers.com
127.0.0.1 paypal.com
127.0.0.1 www.paypal.com
127.0.0.1 www.amazon.fr
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.com
127.0.0.1 virustotal.com
127.0.0.1 www.virustotal.com
127.0.0.1 microsoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 pandasoftware.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com

Note: This manipulated host file will block the access to all listed servers by redirecting the requests to the local machine (IP 127.0.0.1)

 

Backdoor component

The worm also provides IRC-Backdoor functionality with the following functions:

Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer

Tries to connect to the following IRC Server:

name.turkintikamtugayi.com via TCP Port 7745 - the worm establishes a listening connection to receive commands from the attacker.  

Quick step removal

Step 1: Make sure you're using latest NOD32 version including latest virus updates
Step 2: Disable the System Restore Function under Windows ME / Windows XP
Step 3: Perform a full system scan and delete all detected viral files
Step 4: Remove all registry values which are added by the malware
Step 5: Change all registry values which were alternated to the origin values
Step 6: Replace the hosts file with a clean copy or delete all entries and save it  

Note: After scanning don't forget to reenable the system restore function.

History: Analysis and Write-up by: Michael St. Neitzel