W32/Mydoom.E@mm
Analysis
- Virus is 32 bit with a packed file size of 24,576
bytes and is a minor variant to W32/Mydoom.A - the
major difference is in the DoS payload routine, the
virus continues to DoS the website 'www.sco.com' into
the year 2006
- In its unpacked state, the virus has ROT-13 encrypted
strings in an effort to bypass basic string or GREP
techniques in identifying malware
- Virus is introduced to the system from one of two
possible insertion points; as either an email attachment
from an infected user, or as a downloaded binary file
from an infected user within the file sharing environment
application Kazaa
- The virus contains code to terminate its spreading
routine when the system date reaches February 14,
2006
- As with the .A variant, when the virus is run,
it will create a Mutex in memory called "SwebSipcSmtxS0"
- If the virus is run, it will display unreadable
characters in the application NOTEPAD.EXE while in
the background, it will write itself to the system
folder as "taskmon.exe" and modify the registry
to auto run at next Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"TaskMon" = C:\WINNT\System32\taskmon.exe
-
The virus writes a compressed 5,632 byte DLL file to the system folder as "shimgapi.dll" and modifies the registry to load at next Windows startup -
HKEY_CLASSES_ROOT\CLSID\
{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
"(Default)" = C:\WINNT\System32\shimgapi.dll* original value was undefinedSystemRootundefined\System32\webcheck.dll
-
The .DLL file opens TCP port 3127 and loads as a server component - it contains instructions which could download and run files from the Internet if a specific byte sequence is received
-
The virus will begin searching for target email addresses on the target system - during email composition to a target address, the virus can create either a valid email address, or a created one, using an internal list of possible names such as the following -
adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom
-
The virus will avoid using emails which contain portions of the following strings in the email address -
accoun
admin
anyone
bugs
ca
certific
contact
feste
gold-certs
help
icrosoft
info
listserv
me
no
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
submit
support
webmaster
you
your
.edu
.gov
.mil
abuse
acketst
arin.
avp
berkeley
borlan
bsd
example
fcnz
fido
foo.
fsf.
gnu
google
gov.
hotmail
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
msn.
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
spm
syma
tanford.e
the.bat
unix
usenet
utgers.ed
www
-
The virus will search for email addresses in files with these extensions, and the Windows address book -
.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt
-
The virus will construct an email message in a method that could trick the recipient into opening the attached file, out of curiosity - the message body is variable, and suggests that the actual text of the original email is in the file attachment
-
Emails will contain a spoofed "From" field, and random subject lines, and other specific properties -
Body text choices:
- Mail transaction failed. Partial message is available.
- The message contains Unicode characters and has been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- test
-
Attachment file names are variable and could be in any of the following file formats -
ZIP
SCR
PIF
EXE
BAT
CMD
-
The size of ZIP file attachments is not static due to the ZIP header containing the name of the enclosed file; the enclosed file name will be different among replications - the enclosed virus file size will be the same however, at 22,528 bytes
-
In some cases, the .ZIP attachment will contain a file with a double extension such as ".rtf [ many spaces ] .scr"
-
The virus will attempt to copy itself to the shared folder for Kazaa, a peer-to-peer file sharing application - commonly the folder name is
c:\Program Files\Kazaa\My Shared Folder\
-
The files created could be any of the following -
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5
-
The extension is randomly assigned among these - .bat, .exe, .scr, or .pif such as "nuke2004.bat" or "rootkitXP.scr"
-
The virus contains a system date check routine which verifies that the year is at least 2004, and the system date is not more than February 14, 2006 - if these conditions are met, then the virus will start a denial-of-service attack against the web address 'www.sco.com' using a simple GET request - the DoS attack will be persistent and occur once every 1024 milliseconds
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block external to internal communication to TCP port 3127
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2021-06-29 | 87.00261 | |
2021-06-01 | 86.00601 | |
2021-04-15 | 85.00468 | |
2020-11-27 | 82.15100 | Sig Added |
2020-08-25 | 79.88800 | Sig Updated |
2020-08-04 | 79.38400 | Sig Updated |
2020-05-28 | 77.75800 | Sig Updated |
2020-05-03 | 77.16300 | Sig Added |
2019-12-31 | 74.20000 | Sig Updated |
2019-11-19 | 73.20000 | Sig Added |