W32/Mydoom.L@mm
Analysis
Specifics
Virus is 32 bit with a packed file size of 50,176 bytes
and is a minor variant to W32/Mydoom.K-mm. This variant
does not perform a DoS against websites, nor does it
attempt to delete files. This virus contains its own
SMTP engine code to send itself to others - it will
also make itself available in the shared folder of Kazaa,
a popular peer-to-peer file sharing application. This
virus also writes a short keylogger component to the
infected system as a random .DLL file name such as "vefpmwf.dll".
Loading into memory
When the virus is run, it will copy itself to the System32
folder as "RUNDLL6.exe" and then register
itself to auto run at each Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"rundll" = C:\WINNT\System32\rundll6.exe
The virus writes an additional file "shimgapi.dll" into the System32 folder and then adjusts an existing registry key to load this .DLL file -
HKEY_CLASSES_ROOT\CLSID\
{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
"(Default)" = C:\WINNT\System32\shimgapi.dll
Original value: undefinedSystemRootundefined\System32\webcheck.dll
The file "shimgapi.dll" contains instructions to act as a server and bind with TCP port 3127. This functionality allows the virus to potentially receive file updates, or receive and execute arbitrary programs.
Email Spreading Capability
This virus can send itself to numerous email addresses
which are discovered on the target machine by an email
searching routine. The virus seeks addresses from the
following files -
wab
pl
adb
tbb
dbx
asp
php
sht
htm
The virus will avoid using email addresses which have any of these strings in the domain or prefix -
root
be_loyal:
secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
linux
kernel
google
ibm.com
fsf.
gnu
mit.e
bsd
math
unix
berkeley
foo.
.mil
gov.
.gov
microsoft
ruslis
nodomai
mydomai
abuse
www
fcnz
spm
Email Creation Routine
For each address found, the virus will craft an email
with varied subject line and body text, with a spoofed
"From" address. The "From" may contain
names from this list -
sandra
linda
julie
jimmy
jerry
helen
debby
Claudia
The body text is one of these -
- Mail transaction failed. Partial message is available.
- The message contains Unicode characters and has
been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII
encoding and has been sent as a binary attachment.
- Test
The attachment will have one of these extensions -
.bat, .cmd, .exe, .pif or .scr
And may possibly be double-extension such as
.doc.exe
.htm.pif
.txxt.scr
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, enable blocking of
these file extensions using SMTP, POP3 and IMAP services
-
.bat, .cmd, .exe, .pif and .scr
-
Using the FortiGate manager, create a service named "Mydoom" and assign it to TCP port 3127, then enable blocking of this service for External to Internal communication
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |