[TriLUG] [Fwd: Fw: VIRUS ALERT - Mydoom.BB]

Dan Monjar dan at daijin.dissimulo.com
Thu Feb 17 08:52:13 EST 2005 

to pummel the expired equine.... *this* is why I strip a bunch of 
attachments, regardless of who the computer works for.

-------- Original Message --------

VIRUS ALERT - Mydoom.BB
17/02/2005
A new worm Mydoom.BB, which is a variant of Mydoom, is beginning to spread
this morning. This alert will be updated on the web site :
https://www.lexsi.com/abonnes/warn.php?id=111


Worm Names
************
W32.Mydoom.AX at mm [Symantec], WORM_MYDOOM.BB [TrendMicro], W32/Mydoom.bb at MM
[Mc Afee], W32/MyDoom.AQ at mm [Norman], MyDoom.BB [F-Secure]


Priority
********
Medium


Impacts
*******
This new worm spreads itself via email.


Analysis
********
Mydoom.BB spreads itself by sending an email with following characteristics
:

- source address of the message :
The source address of the message is chosen randomly. It may not correspond
to the real sender's address.

- attachement :
"ATTACHMENT"
"DOCUMENT"
"FILE"
"INSTRUCTION"
"LETTER"
"MAIL"
"MESSAGE"
"README"
"TEXT"
"TRANSCRIPT"

With following extensions :
.bat
.cmd
.com
.exe
.pif
.scr
.zip

-Subjects :
"The original message was included as attachment"
"The/Your m/Message could not be delivered"
"hello"
"hi error"
"status"
"test"
"report"
"delivery failed"
"Message could not be delivered"
"Mail System Error - Returned Mail"
"Delivery reports about your e-mail"
"Returned mail: see transcript for details"
"Returned mail: Data format error"

When the virus is launched, it creates following files:
- %Windir%\java.exe
- %Windir%\services.exe (backdoor)

And adds following registry keys in order to be launched at each system
startup :
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

"JavaVM" = "%Winir%\java.exe "
"Services" = "%Windir%\services.exe"


The worm gathers email addresses in the following files :
- .pl*
- .ph*
- .tx*
- .ht*
- .asp
- .sht
- .adb
- .dbx
- .wab


Vulnerable Products
*****************
Windows 95
Windows 98
Windows Me
Windows NT
Windows 2000
Windows 2003
Windows XP


Solution
*********
New signatures files for antivirus products are available or will be
available soon. It is necessary to urgently update the antivirus.

In order to prevent an infection, do not execute the attachment of the
email (the virus does not exploit a security vulnerability to execute the
attachment automatically).

While waiting for virus definitions, it is possible to create a filter rule
on the attachments with extensions .exe, .bat, .cmd, .com, .pif, .scr and
.zip.

To identify infected machines locally, it is possible to verify the
existence of the following registry key :
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
"JavaVM" = "%Winir%\java.exe "
"Services" = "%Windir%\services.exe"


CSI team.

-- 
Dan Monjar

More information about the TriLUG mailing list