[Dshield] FW: [Full-Disclosure] Hello Mydoom

Joe Stewart jstewart at lurhq.com
Fri Jan 30 21:16:06 GMT 2004


On Friday 30 January 2004 1:41 pm, Bjorn Stromberg wrote:
> Could you be more specific. What are the conditions that need to be
> met in order for this virus to GET www.sco.com ? For both versions
> please.

For Mydoom.A:

Begining of DDoS date check subroutine:

4A3DB0 PUSH EBP                                 ;  callCreateSCOddos
4A3DB1 MOV EBP,ESP
4A3DB3 SUB ESP,10


Get the current system time as a FILETIME struct:

4A3DB6 LEA EAX,DWORD PTR SS:[EBP-8]
4A3DB9 PUSH EAX
4A3DBA CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>]


Convert the stored DoS start date from SystemTime to FileTime:

4A3DC0 LEA EAX,DWORD PTR SS:[EBP-10]
4A3DC3 PUSH EAX
4A3DC4 MOV EAX,DWORD PTR SS:[EBP+8]
4A3DC7 ADD EAX,214                              
4A3DCC PUSH EAX                                  ; Feb 1, 2004
4A3DCD CALL DWORD PTR DS:[<&KERNEL32.SystemTimeToFileTime>]


Compare high-order dword dwHighDateTime:

4A3DD3 MOV EAX,DWORD PTR SS:[EBP-4]
4A3DD6 CMP EAX,DWORD PTR SS:[EBP-C]
4A3DD9 JB SHORT <message.skipDoS>    


Compare low-order dword wLowDateTime:

4A3DDB MOV EAX,DWORD PTR SS:[EBP-8]
4A3DDE CMP EAX,DWORD PTR SS:[EBP-10]
4A3DE1 JB SHORT <message.skipDoS>


Start the DoS:

4A3DE3 CALL <message.createSCOddos>             ; DoS_Loop
4A3DE8 PUSH 400
4A3DED CALL DWORD PTR DS:[<&KERNEL32.Sleep>]
4A3DF3 JMP SHORT <message.DoS_Loop>
4A3DF5 LEAVE                                    ; skipDos
4A3DF6 RETN

>From MSDN:
The FILETIME structure is a 64-bit value representing the number of 
100-nanosecond intervals since January 1, 1601 (UTC).

typedef struct _FILETIME {
  DWORD dwLowDateTime;
  DWORD dwHighDateTime;
} FILETIME, 
*PFILETIME;

The stored starttime as filetime is:
0xbe9ecb00
0x01c3e8dd

Because the dwords are compared independently, the DoS will not start 
anytime the current dwLowDateTime is less than 0xbe9ecb00, no matter 
what the dwHighDateTime is. Obviously, this is close to three-quarters 
of the time.

Below is an example of how the timing will affect the startup of the 
Dos. Start systemtime to Stop systemtime defines a timeframe during 
which the DoS threads can be started if the system is rebooted or the 
virus is first run.

Start systemtime: 2004/02/01 16:09:18
Stop systemtime: 2004/02/01 16:11:07
Start systemtime: 2004/02/01 16:16:27
Stop systemtime: 2004/02/01 16:18:17
Start systemtime: 2004/02/01 16:23:36
Stop systemtime: 2004/02/01 16:25:26
.. repeat pattern until expiration

For Mydoom.b, the date comparison bug still holds, with the further 
addition of a randomized check:

4A5020 CALL <mydoomb.multiplyTickCount>
4A5025 MOVZX EAX,AX
4A5028 PUSH 64
4A502A CDQ
4A502B POP ECX
4A502C IDIV ECX
4A502E CMP EDX,14
4A5031 JL SHORT <mydoomb.skipDos>

This will skip the DoS attack if the remainder of a psuedo-random byte 
value divided by 100 is less than 20, or around 23.5% of the time. So, 
even if the system time is within the 25% window of opportunity, the 
DoS will only start 76.5% of those times.

> Is it possible that either version of the virus could send GET
> messages before Feb. 1st (assuming correct clocks) ?

No.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/




More information about the list mailing list