[Dshield] FW: [Full-Disclosure] Hello Mydoom

Johannes B. Ullrich jullrich at sans.org
Thu Jan 29 16:43:19 GMT 2004


On Thu, 2004-01-29 at 10:42, Micheal Patterson wrote:
> I'd like to know if this can be confirmed. So far, none of the systems that
> I'm in control over have been hit by either a or b versions so far.

> > 1. use restricted usernames to send email to and from
there is a list of usernames in the file. And it appears to pull from
them to generate e-mail addresses. E.g. if it finds 'x at example.com' in
your webcache, it will also send mail to 'bob at example.com' and other
common first names.

The 'From' address uses a similar scheme.

> > 2. encode strings with ROT13 method

yes. this is true. Some of the strings are "encyrpted" using ROT13.

> > 3. create a mutex called 'SwebSipcSmtxSO' when ran
don't know. 

> > 4. transform in taskmon.exe and
yes. it will hide itself as 'taskmon.exe' and 'explorer.exe'


> > 4.1 add [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
> >    "TaskMon" = %sysdir%\taskmon.exe
> > 4.2 add [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
> >    "TaskMon" = %sysdir%\taskmon.exe
It changes a number of other registry keys. These two are obviously
added so it will start itself on reboot.

> > 5. add %sysdir%\shimgapi.dll
> >   open ports 3127/tcp - 3198/tcp
I only see it open port 3127. But others report this port range as well.

> > 6. stops spreading febuary 12
don't know. have to check. But I heard this from others as well

> > 7. spreads through KaZaA and Electronic Mail System
yes. true. it uses some enticing filenames (e.g. 'crack_office') to
trick users into downloading it from Kazaa. Not sure how important this
vector is.

> > It was also unknown that the virus infects the BIOS of the computer it
> > infects by injecting a 624bytes backdoor written in FORTH which will
> > open port tcp when Mydoom will be executed AFTER febuary 12.

I think this BIOS stuff is typical full-disclosure BS.

Analyzing a virus like this is not always perfect, and I expect to see a
few more details coming along over the next few days. For example, the
exact conditions that trigger the DDOS are not quite understood IMHO.

But given that the virus is rather compact, I don't expect too many
surprises.





CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040129/cdea0e56/attachment.bin


More information about the list mailing list