W32/MyDoom.BJ@mm
Analysis
This variant of MyTob is very similar to existing variants in that it is coded using Visual C, and contains instructions to spread to other systems using SMTP email.
If the threat is run manually, it will open Notepad
with "garbage" text, in a seemingly random
pattern from a text file written to the undefinedTempundefined folder
as "message.txt". This is common with MyDoom
variants and is a distraction to what is going on in
the background. While the user is attempting to interpret
what the characters might mean, the virus copies itself
to the hard drive, loads into memory and performs its
coded functions.
The virus also has the following characteristics -
- function as a backdoor Trojan
- steal logon passwords to an
online financial institution based in China
- copy itself to the share folder for the P2P app Kazaa
Loading at Windows startup
The virus will copy itself to the local system -
c:\WINNT\system32\svch0st.exe (362,016 bytes)
c:\WINNT\system32\WINLOG0N.EXE (435,232 bytes)
c:\WINNT\system32\wxapi.dll (37,888 bytes)
The virus will register itself to load at Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Systems" = C:\WINNT\System32\svch0st.exe
"WINLOG0N" = C:\WINNT\System32\WINLOG0N.EXE
Password Stealing Routine
The virus monitors access to the following web site
-
https://mybank.icbc.com.cn/icbc/perbank/index.jsp
Logon credentials for this site are captured and emailed to the address 'trgonbonb@163.pbz' (presumably to the author of the password stealing code) using a built-in SMTP engine within the virus. The virus contains this string that is never displayed, near the password stealing code -
GET-Taobao And Bank For Svch0st
Kazaa Share Routine
The virus will use the registry to locate the share
folder for the peer-to-peer application Kazaa and copy
itself there as any or all of the following file names
-
office_sn
do_love_photo
strip-girlsex_movies
gril_photo
MSN2005-final
winamp6
SMTP mass-mailing routine
The virus has instructions to send a copy of itself
to contacts found in files of certain extensions. This
virus appears to have borrowed the same harvest and
exclusion routines as found in the W32/Mydoom virus
family. Email addresses are sampled from files having
these extensions -
- wab
- adb
- tbb
- dbx
- asp
- php
- sht
- htm
- txt
The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings. The email message is crafted using hard-coded values stored in the encrypte virus body. The "From" address is spoofed and could contain any of the following names as a prefix to the email address -
sandra@
linda@
julie@
jimmy@
jerry@
helen@
debby@
claudia@
brenda@
anna@
alice@
brent@
adam@
ted@
fred@
jack@
bill@
stan@
smith@
steve@
matt@
dave@
dan@
joe@
jane@
bob@
robert@
peter@
tom@
ray@
mary@
serg@
brian@
jim@
maria@
leo@
jose@
andrew@
sam@
george@
david@
kevin@
mike@
james@
michael@
alex@
john@
The virus carries hard-coded subject lines and message bodies, and sends email with varying texts.
The possible subject lines are selected from these choices -
- Do love
- What doy you feel like doing tonight honey?
- do love photo
- I love you more than the stars above.
- Do you love me?
- Honey,our do love
- please give me a kiss
- my photo
The possible body text are selected from these choices -
If I marry you,there are going to be some ground rules.
Sweetheart, i love you more than i can say!
I love you more than the stars above.
Give more photo of my.
The possible file names of the email attachment are any of the following, and may have a .ZIP file extension -
- youbody
- youmessage
- youtest
- youdata
- youfile
- youtext
- youdoc
- dolove
- photo
Miscellaneous
When the virus is running in memory, it has the following
Mutex associated with it -
Winwebrenlanq0
Recommended Action
- check the main screen using the web interface to ensure the latest AV/NIDS
database has been downloaded and installed -- if required, enable the "Allow
Push Update" option
FortiClient systems:
- Quarantine/Delete infected files detected
FortiGate systems:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |