Win32.Mydoom.A (also known as W32.Novarg.A@mm) worm - warning

[Stuartbe]

This has just been sent to me by CA.

Be alert !!!!

------------------------------------------

Virus Alert Notification

Win32.Mydoom.A Worm
Alias: W32.Novarg.A@mm (Symantec),
W32/Mydoom@MM (McAfee),
Win32/Shimg
Category: Win32
Type: Worm
Published Date: 1/26/2004
Last Modified: 1/26/2004


CHARACTERISTICS

Win32.Mydoom.A is a worm spreading via e-mail and the Kazaa P2P file sharing network. The worm has been distributed as 22,528-byte, UPX-packed Win32 executable and may be included in a ZIP archive.

Method of Distribution

Via E-mail

The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension.

The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:

Server Report
Mail Delivery System
hi
status
hello
HELLO
Hi
test
Test
Mail Transaction Failed
Server Request
Error

The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. An example of a Message Body used by the worm:

The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:

Data
Readme
Message
Body
Text
file
doc
document


Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.








Via P2P File Sharing

The worm spreads through the KaZaA P2P file sharing network. It copies itself to the transfer folder using the following names:

nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5

Possible extensions are:

bat
exe
pif
scr

Method of Installation

When executed, the worm copies itself to the %System% directory as taskmon.exe and modifies the registry in order to run at the next system re-start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \TaskMon = "%System%\taskmon.exe"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

The worm also creates a file called SHIMGAPI.DLL in the %System% directory. The dropped DLL registers itself in the registry:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\[Default] = "%System%\shimgapi.dll"

Payload

Backdoor Functionality

Win32.Mydoom opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199)

Analysis by Jakub Kaminski

Note: This is a preliminary analysis - further detail will be published as it comes to hand.

[Jon M]

I had over 500 of these blocked by our mail server filters this morning... you should all be able to get hold of updates from your anti-virus vendors, I suggest doing it ASAP!

[Stuartbe]

Quote:

Originally Posted by s1lv3r

I had over 500 of these blocked by our mail server filters this morning... you should all be able to get hold of updates from your anti-virus vendors, I suggest doing it ASAP!

Me to m8.......

The funny thing is that the last email waiting to be sent from exchange had the warning in it

My Norton gateway software nabed over 300 of them

( Waits for hundreds of calls from lan users when they read the notification )

Its going to be a long long day...........

[SOSAGES]

i havnt recived one virus this year damn im going to have to get some less secure customers and give my users more power!


This afternoon, antivirus software vendors starting tracking a dangerous
new worm, dubbed MyDoom. Early indications are that MyDoom is spreading
rapidly and clogging up business networks and the Internet. For example,
McAfee has rated the virus as "High-Outbreak" for both corporate and
consumer users. Symantec rates MyDoom "4," it's second highest rating.

The volume of traffic could be much larger than last year's soBig
outbreak, which would make this virus worthy of the name soMuchBigger.
The sophistication of the virus is a reminder that hackers and virus
writers should be treated as criminals and not noble antisocialists.
Like Blaster, which delivered a delay mechanism for attacking
Microsoftâ₠¬â„¢s Windows Update on a certain date, MyDoom has a target: SCO.

MyDoom outbreak may turn out to be one of the more sophisticated viruses
in recent memory. The virus appears to use multiple avenues of attack
(e-mail for certain and possible file-sharing or remote-access programs)
harnesses the multitude of infect computers to attack a single host
(SCO) and protects the binaries with encryption (to thwart quick
antivirus response and damage assessment).

Delivery is via e-mail, typically as a message returned for some error.
Itâ₠¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢s almost habit for more experienced users to open such a mail and its
attachment to see which important message got bounced back. The tactic
clearly targets the kind of sophisticated user that normally wouldnââ‚Ã⠀šÃ‚¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢t
open such an e-mail attachment.

Apparently all Windows version from 95 on are susceptible to MyDoom, but
not Linux, Mac OS or Unix. People that use Outlook 2000 SP2 or later are
safest, as long as the default settings--these block the kind of
attachments carrying MyDoom--havenââ‚ƚ¬Ã¢â€žÂ¢t been changed. The greater danger
would be businesses running older versions of Outlook or consumer PCs
using e-mail, say, Outlook Express. Microsoft plans to add attachment
blocking to Outlook Express, but that update is months away.

Published warnings from antivirus vendors suggest a dangerous worm
potentially capable of spreading through file sharing or allowing remote
access through a port opened in infected systems. I would strongly
encourage system administrators seeking to eradicate an infection to
shut down all unneeded network services and to search for open ports on
compromised systems. Network administrators should start by checking
port 3127.

I strongly encourage network administrators to quarantine computers and
networks immediately. As a general practice, files with the extensions
.bat, .exe, .htm, .pif, .scr or .vbs should be blocked at the e-mail
client or server.

Antivirus companies are still investigating MyDoom, but what they have
found so far indicates the worm will be a tough clean-up. MyDoom changes
Windows Registry settings and dumps files in the KaZaA download
directory on computers with the peer-to-peer software installed.

http://www.microsoftmonitor.com/archives/002217.html

[MetaWraith]

More Info and a detection tool available here
http://www.datafellows.com/v-descs/novarg.shtml

Removal tool is not yet available, but when it is, it will be available from the same page.

[Stuartbe]

Wow It must be serios - Its made it to the top of CA's most dodgey list

[Caspar]

Ah!

Discovered on the 26th Jan 04 it's a mass mailing worm that will perform a DoS on the 1st Feb 04 for 12 days!, target unknown to me.

I've had about 6 reports of this this morning alone.

Read more about it at Symantec

[Jon M]

duplicate casper.. sorry mate.. same virus different name

http://forum.nthellworld.co.uk/showthread.php?t=6885

[MetaWraith]

Target Is SCO.COM see my post in the other thread.

[Caspar]

I need to get up earlier s1lv3r!

At least I spelt your name right tho! :p

[Stuartbe]

Quote:

Originally Posted by stuartbe

Wow It must be serios - Its made it to the top of CA's most dodgey list

AAARG - the helpdesk lines are going mad... My team have lost 78 calls in the last half an hour...... Deep Breath - **$*$*$* £*$*£* $**$*$*$ bloo** w****** son of a **** !!!!!!!........ virus writers

Ahhhhh thats better

I'm going home

You are not alone Stu - we have had a few this morning - a few copies got past our Mailsweepers before they updated - most were then caught by the individual exchange box AV systems but a few got past them as well.

Fortunately no one has run the attachment yet ...... <fingers crossed>

[Stuartbe]

Quote:

Originally Posted by pem

You are not alone Stu - we have had a few this morning - a few copies got past our Mailsweepers before they updated - most were then caught by the individual exchange box AV systems but a few got past them as well.

Fortunately no one has run the attachment yet ...... <fingers crossed>

I feel for you m8 - we use symantec gateway security and it let 20-30 in overnight. The trouble is that our sales dept. have a policy of " oooo a file - lests double click it and see what happens "

I have stoped the ldap service for the mo. so if someone does click it at least it wont mail out using the address book.

[Jon M]

Admins, (pem/stuartbe) you shouldn't really be letting those through even WITHOUT anti-virus filters on the mail server/s.
There should also be filetype filters in place that either block all binary attachments.. or block specific extensions like .cmd, .pif, .bat etc.. also anything with a double extension like .doc.scr for example.

[Naomi17]

I immunised my system and found 1 in my registry help available here

http://www.sophos.com/virusinfo/analyses/w32mydooma.html