W32/MyDoom.BI@mm
Analysis
- Creates a mutex named -=RTSW.Smash 0a2a1=-.
- Copies itself to the System folder as lsasrv.exe.
Drops the following clean files to the System folder:
- version.ini
- hserv.exe
- Mes#wtelw
Registry Modification
Adds the value
lsass = "undefinedSYSTEMundefined\lsasrv.exe", where undefinedSYSTEMundefined refers to the System folder
to the registry subkeys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds the following registry subkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellSmashAdds the value
Shell = "explorer.exe undefinedSYSTEMundefined\lsasrv.exe", where undefinedSYSTEMundefined refers to the System folder
to the registry subkeys
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Email Propagation- Sends emails to the addresses it finds, except email addresses that contain certain strings, such as:
- .gov
- .mil
- account
- acketst
- admin
- anyone
- arc
- arin.
- avp
- berkley
- borlan
- bsd
- bugs
- ca
- certific
- contact
- example
- feste
- The email has the following format:
From: any of various names, such as:
- Abdulrazak
- Ackerman
- Adams
- Addison
- Adelstein
- Adibe
- Adorno
- Ahlers
- Alavi
- Alcorn
- Aleks
- Allison
- Alongi
- Altavilla
- Altenberger
- Altenhofen
- Amaral
- Amatangelo
Subject: can be empty or any of the following:
- Attention!!!
- Do not reply to this email
- Error
- Good day
- hello
- Mail Delivery System
- Mail Transaction Failed
- Server Report
- Status
Message body: any of various statements, such as:
- The message contains Unicode characters and has been sent as a binary attachment.
- Mail transaction failed. Partial message is available.
- Bad Gateway: The message has been attached.
Attachment name: [Filename].[Extension]
[Filename] can be any of the following:
- body
- message
- docs
- data
- file
- rules
- doc
- readme
- document
- bat
- cmd
- exe
- pif
- scr
- zip
Peer-to-peer Propagation - Attempts to copy itself to the share folder of the following peer-to-peer applications:
- Kazaa
- Morpheus
- iMesh
- eDonkey
- LimeWire
- The filename can be any of the following:
- porno
- NeroBROM6.3.1.27
- avpprokey
- Ad-awareref01R349
- winxp_patch
- adultpasswds
- dcom_patches
- K-LiteCodecPack2.34a
- activation_crack
- icq2004-final
- winamp5
Backdoor/Trojan Behavior Blocks access to the following security-related websites:
- www.symantec.com
- securityresponse.symantec.com
- symantec.com
- www.sophos.com
- sophos.com
- www.mcafee.com
- mcafee.com
- liveupdate.symantecliveupdate.com
- www.viruslist.com
- viruslist.com
- www.f-secure.com
- f-secure.com
- kaspersky.com
- kaspersky-labs.com
- www.avp.com
- avp.com
- www.kaspersky.com
- www.networkassociates.com
- networkassociates.com
- www.ca.comca.com
- mast.mcafee.com
- www.my-etrust.com
- my-etrust.com
- download.mcafee.com
- dispatch.mcafee.com
- secure.nai.com
- www.nai.com
- nai.com
- update.symantec.com
- updates.symantec.com
- us.mcafee.com
- liveupdate.symantec.com
- customer.symantec.com
- rads.mcafee.com
- www.trendmicro.com
- trendmicro.com
- www.grisoft.com
- grisoft.com
Attempts to kill the following processes:
- bbeagle.exe
- d3dupdate.exe
- i11r54n4.exe
- irun4.exe
- msblast.exe
- msblast.exe
- mscvb32.exe
- navapw32.exe
- navw32.exe
- netstat.exe
- outpost.exe
- pandaavengine.exe
- penis32.exe
- rate.exe
- ssate.exe
- sysinfo.exe
- sysmonxp.exe
- taskmon.exe
- teekids.exe
- wincfg32.exe
- winsys.exe
- winupd.exe
- zapro.exe
- zonealarm.exe
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |