*From SANS:
Handler's Diary July 26th 2004
Updated July 27th 2004 01:25 UTC
MyDoom-O hits search engines hard.
MyDoom-O hits search engines hard
Overview
The latest version of MyDoom, which started arriving in peoples mail boxes in force today, uses search engines to find more recipients for its message.
Once the virus is started, it searched the users files for domain names. Once it spotted a domain name (e.g. 'example.com'), it will search various search engines for valid e-mail addresses within these domains. These search engines include Lycos, Google, Altavista, Yahoo and possibly others. Some of the search engines, in particular Google and Lycos, had problems handling the large number of queries. As a result, the search engines did not return any result, or returned error messages.
These MyDoom e-mails arrive in a number of different forms. Some claim to be a bounce caused by a message the user sent earlier, others claim to be a message from the users ISP claiming that the user sent spam and should run the attached file.
The virus may be zipped or a plain executable.
During the day, Antivirus vendors added signatures to their signature files. We highly recommend to download the latest signatures. As this is probably not the latest virus, we recommend reviewing your policy with respect to attachements. Executable attachements should not be permitted. Finding a sensible policy for zip files may be more difficult and should be tailored to your business needs. We recommend PGP signed e-mail for attachements, or a web based 'drop box'. A password encrypted zip file will only help if the password is exchanged in advance, if possible out of band (e.g. phone). In the past, viruses used password encrypted zip files to fool anti virus engines.
Details
MyDoom creates the executable files C:\Windows\services.exe and java.exe, and executes them.
The following URL templates are used to query the search engines. '%s' is replaced with the search string.
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s &nbq=%d
http://www.altavista.com/web/results?q=%s&kgs=0&kls=0 &n=%d
http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= &num=%d
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s
The agent id is read from the registry and will match the internet explorer version used on the infected host. The full request will look like:
GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+winternals.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: search.lycos.com
Connection: Keep-Alive
The virus is UPX packed, after unpacking, the following strings are evident:
(a) Strings that suggest that the virus attempts to decode obfuscated e-mail addresses
.dot. _dot_ (dot) at _at_ (at) .at.
(b) Mail headers for outbound mail
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Type: multipart/mixed;
boundary="%s"
MIME-Version: 1.0
Date:
Subject: %s
To: %s
From: %s
(c) Strings that are appreantly used to avoid certain e-mail addresses:
mailer-d spam abuse master sample accoun privacycertific bugs listserv submit ntivi support admin page the.bat gold-certs feste help soft site rating your someone anyone nothing nobody noone info winrar winzip rarsoft sf.net sourceforge ripe. arin. google gnu. gmail seclist secur bar. foo.com trend update uslis domain example sophos yahoo spersk panda hotmail msn. msdn. microsoft sarc. syma
MyDoom leaves a log file behind. On our test system, the log file was dropped into C:\Documents and Setting\Locals~1\Temp\zincite.log
Anti Virus Vendor Links:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127033
http://www.sophos.com/virusinfo/analyses/w32mydoomo.html
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
http://www.f-secure.com/v-descs/mydoom_m.shtml
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39711
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=49861&sind=0
http://www.viruslist.com/eng/alert.html?id=1927068
http://www.grisoft.com/virbase/virbase.php?lng=us&type=web&action=view&qvirus=086fda5c5c9e7000
