WebCrime

MYDOOM

Home
THE PROFIT MOTIVE: MyDoom Redux:
MALICIOUS CODE
HORROR STORIES
SPYWARE
SPOOFING
ANTHRAX
VIRUSES BY OTHER NAMES
PROGRAMMING VIA BIOLOGICAL ENGINEERING TECHNIQUES
MYDOOM
WORMS
KEYLOGGER
SPYWARE
HYBRIDS
ANTHRAX ON THE INTERNET
ANTHRAX CHATTER
CELLPHONE VIRUS CHATTER
VIRUS CHATTER
ANTHRAX CHATTER
MICROSOFT CHATTER
"link=bacillus"
MSBLASTER
PHISHING
SWEN
FIREWALLS
TERMS GLOSSARY
MALICIOUS SCRIPTS: THE STATE OF THE ART DELIVERY METHOD
RESOURCES: FIGHTING BACK - FREE UTILITIES
CODE RED
WHAT'S IN A NAME
MICROSOFT
NIMDA
ANTHRAX-NIMDA CONNECTION
SCRIPT KIDDIES VRS ENGINEERS
THE UNLIKELY LADDS
VIRUS ALLERTS
IDENTITY THEFT
HEADS OFF
HEADSUP

 

 

More Doom?

The infection rate for the world’s fastest growing email virus ever is subsiding, but security experts say the risk of new attacks is not

Steve Marcus / Reuters

The MyDoom-B virus is set up to launch coordinated attacks on Microsoft from the computers it infects

 

WEB EXCLUSIVE

By Jennifer Barrett

Updated: 4:23 p.m. ET Feb. 3, 2004

It was nearly 4 p.m. last Monday when the first suspicious-looking email popped up on Richard Wang’s computer screen. Ten minutes later, a similar message arrived with the familiar “error” subject line and an icon indicating an attachment. The next arrived two minutes later. As a virus researcher at security firm Sophos’s new anti-virus lab in Massachusetts, Wang sorts through a lot of suspect email each day—most of it forwarded by customers or other security firms to be examined.  “But once you see three or four of these in that short a time period, you start to think this is going to be something big,” he says. By the time the fourth email arrived, Wang remembers thinking, “I’m going to be late for dinner tonight.”

Meanwhile, on the West Coast, his counterpart at McAfee Avert, Craig Schmugar, was seeing two to four new suspicious-looking emails every time he refreshed his screen. “There was a sudden rush in emails we had never seen before,” says Schmugar, who is credited with co-discovering the virus. He named it MyDoom after spotting a line of text that included “mydom” (short for “my domain") in the virus code. “ It was evident early on that this would be very big,” he says. “I thought having `doom’ in the name would be appropriate.”

Was it ever. MyDoom—and its variation, MyDoom-B, released two days later—soon become the fastest spreading email virus in Internet history, extending into more than two dozen countries and infecting at least 500,000 machines over the past week. According to the security firm mi2g, damage estimates from the virus now range as high as $38.5 billion, taking into account everything from overtime pay to loss of business and bandwidth, as well as the cost of recovery and software upgrades. While some say that estimate may be too high, security analysts agree that the damage is in the billions.

And the worm’s work isn’t done yet.

Unlike some past viruses, MyDoom isn’t aimed at disabling victims’ computers or erasing their files (though it does disrupt email service and prevents victims from contacting many of the Web sites that offer anti-virus protection.) In fact, victims may not even be aware that their computer has been infected unless they run an anti-virus scan.

“The worst viruses [like MyDoom],” says Wang, “aren’t interested in messing up your personal files or crashing your email system.  They want to steal your bandwidth—take over your computer, basically—to use your PC for nefarious purposes, so it can’t be tracked back to theirs.”

The MyDoom worm was designed to launch later attacks from infected computers against two corporate targets: the SCO Group and Microsoft. SCO, a Utah-based software maker, earned the ire of Linux lovers—and became a regular target of attacks last year—for launching a patent claim against the freely available operating system. And as the world’s largest software maker, Microsoft is also a common target of hackers and virus writers.

MyDoom launched its first wave of attacks from an estimated 50,000 or more infected computers that were turned on this weekend. It was enough to shut down the SCO Group’s Web site. Microsoft was bracing itself Tuesday for the launch of similar, if fewer, denial-of-service attacks from MyDoom-B, which is set to run through the end of the month. The company even preemptively set up a back-up site just in case its main site is disabled. “We are doing everything we can to ensure that Microsoft properties remain fully available to our customers,” says Stephen Toulouse, security program manager at the Microsoft Security Response Center.

That includes offering a $250,000 reward for information leading to the capture of whoever is behind the MyDoom attack—a reward SCO is offering as well. Microsoft has offered the quarter-million-dollar rewards only twice before, for those behind last year’s MSBlast.A worm and Sobig virus. The offers are part of its new Anti-Virus Reward Program, launched late last fall with $5 million. Still, despite the rewards,  and the FBI’s participation in the investigation into the MyDoom worm, no suspect has yet been identified.

And Jeff Carlon, director of worldwide IT infrastructure at the SCO Group, predicts hundreds more attacks on his Web site through next Thursday, when the first worm expires. Through a statement, he said the company “has developed layers of contingency plans to communicate with our valued customers, resellers, developers, partners and shareholders.” That includes directing customers to a new Web site (thescogroup.com) as its technicians work to bring the original site back online.

For the most part though, security experts say the worst may be over. The number of new MyDoom infections has dropped significantly in the past few days to about one-third the rate of reported infections happening a week ago, according to the anti-virus software firm Symantec. McAfee’s Schmugar says the number of those computers cleaning out the virus is now higher than those reporting new infections.

But don’t breathe too easy yet.

“Unfortunately, one thing you can predict is that you will see more medium to high threats like this coming through this year,” says Vincent Weafer, senior director for Symantec Security Response. Home users and small businesses are particularly vulnerable.

“They remember and are diligent about updating their protection after an attack, but then they forget about it,” says Weafer.

Schmugar agrees. “MyDoom has gotten press and that raises awareness for a period of time but it’s hard to say how long that will last,” he says.  “We’ve learned that people are aware for some period of time and then it fades and they go back to—I don’t want to say a false sense of security—but to their previous comfort level, perhaps. More people open an attachment they might not otherwise.”

And that may be all it takes to unleash the next MyDoom.

 

F-Secure Virus Descriptions : Mydoom

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME: Mydoom
ALIAS: Shimgapi, Novarg, W32/Mydoom.A@mm
SIZE: 22528

Update on February 12th, 2004

F-Secure is downgrading the alert level on Mydoom.A since it reached its deadline.

The worm was programmed to stop spreading after February 12th, 2004.

Update on February 10th, 2004

A new minor variant of Mydoom was found on 10th of February 2004. We detect it automatically as "Mydoom.A". Some other products might detect it as "Mydoom.D". It's the original Mydoom with a different packer applied to it, and one of the messages it sends has been patched to say "ROFL HELLO SAM HOWS UPZ. Partial message is available."

Update on January 27th, 2004

F-Secure is upgrading the Mydoom (Novarg) worm to Level 1 because of increased infection reports around the world. The worm sends email attachments with a random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension.

Attack follow-up

F-Secure researchers will be monitoring the launch of the DDoS attack against SCO.COM on 1st of February, 2004. We'll post our findings to our weblog at: http://www.f-secure.com/weblog/

Summary

Mydoom is a worm that spreads over email and Kazaa p2p network. When executed, the worm opens up Windows' Notepad with garbage data in it. In emails, it uses variable subjects, bodies and attachment names. It also performs a Distributed Denial-of-Service attack on www.sco.com. This attack starts on 1st of February.

The worm opens up a backdoor to infected computers. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE.

Mydoom is programmed to stop spreading on February 12th.

For information on the B variant of Mydoom, see: http://www.f-secure.com/v-descs/mydoom_b.shtml

Disinfection

Special Disinfection Tool

F-Secure has developed a special disinfection tool for this worm. The tool will detect and remove an active Mydoom infection from the computer.

The Mydoom removal tool can be downloaded in a ZIP file from:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.zip

http://www.f-secure.com/tools/f-mydoom.zip

The unpacked version is available from:

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.exe

http://www.f-secure.com/tools/f-mydoom.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.txt

http://www.f-secure.com/tools/f-mydoom.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.f-secure.com/tools/f-mydoom.jar

ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.jar

Manual Disinfection

Manual disinfection of Mydoom consists of the following steps:

1, Delete the registry value and restart the computer:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon]
                           

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon]
                           

 [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32]
                           

2, Delete the worm from the Windows System Directory:

 %SysDir%\taskmon.exe
                           

and its backdoor component from:

 %SysDir%\shimgapi.dll
                           


Back to the Top


Detailed Description

The worm encrypts most of the strings in it's UPX-packed body with ROT13 method, i.e. the characters are rotated 13 locations to the right in the abecedary, starting from the beginning if the position is beyond the last letter.

When run the worm will create a mutex with the name "SwebSipcSmtxSO" to ensure only one instance of itself is running at the same time.

The worm will launch a Notepad window with garbage contents.

The worm will copy itself to the Windows System folder as 'taskmon.exe' and adds a entry in the registry:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
                            "TaskMon" = %sysdir%\taskmon.exe
                           

 or, if it fails:
                           

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
                            "TaskMon" = %sysdir%\taskmon.exe
                           

So it's run every time Windows starts up.

It drops another file, contained encoded in its body and packed with UPX as:

 %sysdir%\shimgapi.dll
                           

This file will sequentially open TCP ports from 3127 to 3198, listening on them for incoming connections. One of the possibilities this backdoor offers is to receive an additional executable and run it on the already infected machine.

Expiration date.

When the worm is executed in a date after the Sunday 12th of February 2004 it will exit immediately, without performing any further actions. It will not, however, uninstall itself.

Peer-to-Peer Spreading

The worm will look up form the Windows' Registry the value containing the users Kazaa shared folder, and it will copy itself to that location with a filename composed from the following list:

 winamp5
                            icq2004-final
                            activation_crack
                            strip-girl-2.0bdcom_patches
                            rootkitXP
                            office_crack
                            nuke2004
                           

And extensions chosen from:

 .bat
                            .exe
                            .scr
                            .pif
                           

Mail Propagation

The worm collects addresses where to send itself from Windows' Address Book and from files with extension:

 pl
                            adb
                            tbb
                            dbx
                            asp
                            php
                            sht
                            htm
                            txt
                           

It try to bypass simple anti-spam protections i.e., like substituting the '@' symbol for ' at ' and several other combinations.

E-Mail messages sent by the worm have the following characteristics:

Subjects can be any of the following:

 test
                            hi
                            hello
                            Mail Delivery System
                            Mail Transaction Failed
                            Server Report
                            Status
                            Error
                           

Body is one of the following:

 test
                           

 The message cannot be represented in 7-bit ASCII encoding
                            and has been sent as a binary attachment.
                           

 The message contains Unicode characters and has been sent
                            as a binary attachment.
                           

 Mail transaction failed. Partial message is available.
                           

Attachments are composed combining the following names:

 document
                            readme
                            doc
                            text
                            file
                            data
                            test
                            message
                            body
                           

with the following extensions:

 pif
                            scr
                            exe
                            cmd
                            bat
                            zip
                           

The ZIP file itself is not harmful when doubleclicked. Inside the zip you have a copy of the worm, sharing the same file name as the .zip. For example, message.zip contains message.exe.

The sizes of the ZIP files vary, but it's typically around 22kB. The infected file inside the zip can have double extensions, like "body.htm .pif".

The final message might look like presented in the following picture:

Payload

When the machine is booted after the Sunday 1st of February at 16:09:18 (UTC) (always according to the infected system's clock). A DDoS attack will be launched against SCO website.

The worm will launch 64 threads, each of them requesting the main page of the website www.sco.com. This process of requesting simultaneously 64 times the page will be repeated roughly every second (1024 milliseconds) from each of the infected machines throughout the globe. The request is a simple "GET / HTTP/1.1", aimed to overload their webserver.

Backdoor

The backdoor component of Mydoom.A is dropped to the System Directory with the filename 'shimgapi.dll'. The file is added to the registy as:

 [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32]
                           

This registry value makes Explorer to load the DLL as an extension so it is not visible as a separate process in Task Manager.

The backdoor listens on the first available TCP port between 3127 and 3198. Connecting to that port a remote attacker can

- use the infected computer as a TCP proxy

- upload and execute arbitrary executables to the infected computer

Back to the Top


Detection

Detection in F-Secure Anti-Virus was published on January 26th, 2004 at 23:09 UTC in update:

[FSAV_Database_Version]

Version=2004-01-27_01

As download speeds for regular updates might be slow, you can download detection for Mydoom directly from here:

ftp://ftp.f-secure.com/anti-virus/updates/fsupdate.exe

Blocking the worm on the mail server

Considering the large volume of the infected emails sent by Mydoom.A mail server administrators might want to block the worm from entering their mail servers as early as possible.

The ZIP versions of the worm can be detected by matching the first line of the MIME encoded attachment against one of the following regular expressions

 '^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA'
                            '^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA'
                           

Please note that the '+' sign might or might not need the \ escaping depending on the regular expression implementation.

If either of the expressions match the email contains the ZIP compressed version of the worm and can be rejected.

The EXE version can be detected with the presence of the following four consecutive lines in the MIME body:

 'QWRuwhLeZHJyFsetbllrtEilOBwrJ8OYMXsTGWAEvKwwhG6qzQlpQXePs2GNRklxNWtlZBN2agul'
                            'YxILFUnSmWGSblIi5FUzNsGwsPXUQpMmSx2FFJx5orXascf4NmeMS2V5DE9wTd069+gLRSQOOlaN'
                            'dWVhBwCGDyQRCTN3KaZ1bTAMr63ZbLM/ZMIIAW2j7rQ1zHNlomp3QxDz2N8MAwdpc2RpZ2kZdXBw'
                            'c83NthF4EglmWwg4zVb4c3BhS0/NLFjA/nubVS9CdWZmQQ8LZ9qOPExvd3d2OXK2I1GYbdh3CkfY'
                           


Back to the Top


Description: Mikko Hypponen, Katrin Tocheva, Sami Rautiainen; January 27th, 2004

Technical Details: Ero Carrera and Gergely Erdelyi; January 28th, 2004

F-Secure Corporation

 

 
 

Virus information
W32/MyDoom-A

Summary

Description

This section helps you to understand how it behaves

W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from address
books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP,
ASP, DBX, TBB, ADB and PL.

W32/MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters.

W32/MyDoom-A 'spoofs', using randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics.

Subject lines
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Message texts
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

Attachment filenames
body
data
doc
document
file
message
readme
test
[random collection of characters]

Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.

W32/MyDoom-A is programmed to not forward itself via email if the recipient email address satisfies various conditions:

  • The worm will not send itself to email addresses belonging to domains containing the following strings: acketst, arin., avp, berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o, isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai, panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma, tanford.e, unix, usenet, utgers.ed

    As a consequence the worm does not forward itself to a number of email domains, including several anti-virus companies and Microsoft.

  • The worm will not send itself to email addresses in which the username contains the following strings: abuse, anyone, bugs, ca, contact, feste, gold-certs, help, info, me, no, noone, nobody, not, nothing, page, postmaster, privacy, rating, root, samples, secur, service, site, spm, soft, somebody, someone, submit, the.bat, webmaster, you, your, www

  • The worm will not send itself to email addresses which contain the the following strings: admin, accoun, bsd, certific, google, icrosoft, linux, listserv, ntivi, spam, support, unix


The worm can also copy itself into the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5

W32/MyDoom-A creates a file called taskmon.exe in the system or temp folder and adds the following registry entry to run this file every time Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe

Please note that on Windows 95/98/Me, there is a legitimate file called taskmon.exe in the Windows folder.

W32/MyDoom-A also drops a file named shimgapi.dll to the temp or system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 3127. The DLL adds the following registry entry so that it is run on startup:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= "<location of dll>"

The worm will also add the following entries to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

Between the 1st and 12th February 2004, the worm will attempt a denial-of-service attempt to www.sco.com, sending numerous GET requests to the web server.

After the 12th February W32/MyDoom-A will no longer spread, due to an expiry date set in the code. It will, however, still run the backdoor component.

Further reading: MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack

Recovery

 

Sophos  © 1997-2005 Sophos Plc. All rights reserved.  Legal | Privacy

W32.Mydoom.A@mm

Category 2
Discovered on: January 26, 2004
Last Updated on: July 27, 2004 11:53:34 AM


Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 3 to a Category 2 rating as of March 30, 2004.

W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

In addition, the backdoor can download and execute arbitrary files.

There is a 25% chance that a computer infected by the worm will perform a Denial of Service (DoS) on February 1, 2004 starting at 16:09:18 UTC, which is also the same as 08:09:18 PST, based on the machine's local system date/time. If the worm does start the DoS attack, it will not mass mail itself. It also has a trigger date to stop spreading/DoS-attacking on February 12, 2004. While the worm will stop on February 12, 2004, the backdoor component will continue to function after this date.


Notes:
  • Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
  • Virus definitions dated prior to February 4, 2004 will detect this threat as W32.Novarg.A@mm.

 

Also Known As: W32.Novarg.A@mm, W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], Win32.Mydoom.A [Computer Associates], W32/Mydoom-A [Sophos], I-Worm.Novarg [Kaspersky]
Type: Worm
Infection Length: 22,528 bytes, variable file size for a .zip attachment
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

protection
  • Virus Definitions (Intelligent Updater) *
  • January 26, 2004

  • Virus Definitions (LiveUpdate™) **
  • January 26, 2004

    *

    Intelligent Updater definitions are released daily, but require manual download and installation.
    Click here to download manually.

    **

    LiveUpdate virus definitions are usually released every Wednesday.
    Click here for instructions on using LiveUpdate.

    threat assessment

    Wild

    Threat Metrics

    Low Medium High

    Wild:
    Low

    Damage:
    Medium

    Distribution:
    High

    Damage

    Distribution

    technical details

    When W32.Mydoom.A@mm is executed, it does the following:

    1. Creates the following files:
      • %System%\Shimgapi.dll: Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.
      • %Temp%\Message: This file contains random letters and is displayed using Notepad.
      • %System%\Taskmon.exe.


        Notes:
      • Taskmon.exe is a legitimate file in the Windows 95/98/Me operating systems, but is in the %Windir% folder, not the %System% folder. (By default, this is C:\Windows or C:\Winnt.) Do not delete the legitimate file in the %Windir% folder.
      • %System% is a variable: The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      • %Temp% is a variable: The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows NT/2000), or C:\Document and Settings\<UserName>\Local Settings\Temp (Windows XP).

    2. Adds the value:

      "(Default)" = "%System%\shimgapi.dll"

      to the registry key:

      HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

      so that Explorer.exe loads Shimgapi.dll.

    3. Adds the value:

      "TaskMon" = "%System%\taskmon.exe"

      to the registry keys:

      HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


      so that TaskMon is run when you start Windows.

    4. Checks the system date, and if the date is between February 1, 2004 and February 12, 2004, there is a 25% chance the worm will perform a DoS attack against www.sco.com. The DoS is performed by creating 63 new threads that send GET requests and use a direct connection to port 80. The worm will not mass mail itself if the DoS attack is triggered.


      Notes:
      • The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack.
      • Due to the way the worm verifies the system date, the DoS will only be executed on 25% of infected computers.
      • The DoS will only occur when the system date is checked during the initial infection, or if the computer is restarted.
      • The worm will use local DNS settings to resolve the domain name used in the DoS attack (www.sco.com).


    5. Creates the following registry keys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Explorer\ComDlg32\Version

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Explorer\ComDlg32\Version


    6. Searches for the email addresses in the files with the following extensions:
      • .htm
      • .sht
      • .php
      • .asp
      • .dbx
      • .tbb
      • .adb
      • .pl
      • .wab
      • .txt

    7. Attempts to send email messages using its own SMTP engine. The worm looks up the mail server that the recipient uses before sending the email. If it is unsuccessful, it will use the local mail server instead. The email will have the following characteristics:

      From: The "From" address may be spoofed.

      Subject: The subject will be one of the following:
      test
      hi
      hello
      Mail Delivery System
      Mail Transaction Failed
      Server Report
      Status
      Error

      Message: The message will be one of the following:
      Mail transaction failed. Partial message is available.
      The message contains Unicode characters and has been sent as a binary attachment.
      The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
      test

      Attachment: The attachment file name, not including the extension, will be one of the following:
      document
      readme
      doc
      text
      file
      data
      test
      message
      body

      The attached file may have either one or two file extensions. If it does have two, the first extension will be one of the following:
      .htm
      .txt
      .doc

      The second extension, or the only extension if there is only one, will be one of the following:
      .pif
      .scr
      .exe
      .cmd
      .bat
      .zip (This is an actual .zip file that contains a copy of the worm, sharing the same file name as the .zip. For example, readme.zip can contain readme.exe.)

      If the worm has an extension of .exe or .scr, the file will be displayed with the following icon:





      For all the other file extensions, it will use the icon for that file type.

    8. Copies itself to the Kazaa download folder as one of the following files:
      • winamp5
      • icq2004-final
      • activation_crack
      • strip-girl-2.0bdcom_patches
      • rootkitXP
      • office_crack
      • nuke2004

        with a file extension of:
      • .pif
      • .scr
      • .bat
      • .exe

    Symantec Client Security
    • Antivirus component: An update for the Symantec Client Security AntiVirus engine to protect against the W32.Mydoom.A@mm/W32.Novarg.A@mm worm has been available for several days via LiveUpdate (see above).
    • Symantec Client Firewall: Symantec Client Firewall ships with the default ruleset as "High: Block everything until you allow it." It will notify the user of the exploit backdoor connection and prompt the user to Permit, Block, or Customize a rule for that connection attempt opened by the virus MyDoom/Novarg.

    Symantec Gateway Security 1.0
    An update for the Symantec Gateway Security IDS/IPS engine to protect against the W32.Mydoom.A@mm worm has been posted as of 9:24 PM PST 1/30/04. Symantec Gateway Security administrators are advised to run LiveUpdate to ensure protection against this threat.

    Symantec Gateway Security 2.0
    An update for the Symantec Gateway Security IDS/IPS engine to protect against the W32.Mydoom.A@mm worm has been posted as of 3:02 PM PST 1/29/04. Symantec Gateway Security administrators are advised to run LiveUpdate to ensure protection against this threat.

    Intruder Alert
    Symantec has released the
    Intruder Alert 3.6 W32_Novarg_Worm Policy.

    Symantec HIDS 4.1.1
    Symantec released a LiveUpdate package on January 27, 2004 for users of Symantec HIDS 4.1.1. See the Symantec Host IDS 4.1.1 Security Update 1 for additional information.

    Symantec ManHunt
    Security Update 17 has been released to provide signatures specific to the backdoor activity associated with the W32.Mydoom.A@mm Worm.

    DoS detection via ManHunt Flow Alert Rules: The Symantec Network IDS team recommends that administrators use the Flow Alert Rule feature to log events for suspicious traffic to the SCO Web site on 2/1/2004 and the Microsoft Web site on 2/3/2004. For detailed instructions, read the Symantec Knowledge Base at: http://service1.symantec.com/SUPPORT/intrusiondetectkb.nsf/docid/2004012813061253

    In addition, Symantec ManHunt 2.2/3.0/3.01 customers can apply the following signature to detect the attempted DoS against www.sco.com. This DoS will start occurring on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading. This signature will help in determining from which machines the request is being made.

    *******************start file********************

    alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET / HTTP/1.1|0d0a|Host: www.sco.com|0d0a0d0a|"; offset:0; dsize:37;)

    *************EOF*********************

    For more information on creating custom signatures, refer to the "Symantec ManHunt Administrative Guide: Appendix A Custom Signatures for HYBRID Mode."

    recommendations

    Symantec Security Response offers these suggestions on how to configure Symantec products in order to minimize your exposure to this threat.

    gateway

    Symantec Gateway Security

    Symantec Enterprise Firewall


    client

    Norton Internet Security

    Norton Personal Firewall

    Symantec Client Security


    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    removal instructions


    Removal using the Removal Tool
    Symantec Security Response has developed a
    removal tool to clean the infections of W32.Mydoom.A@mm. This is the preferred method in most cases.


    Manual Removal
    Perform a manual removal if you cannot obtain the tool.

    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Disable System Restore (Windows Me/XP).
    2. Update the virus definitions.
    3. Restart the computer in Safe mode or VGA mode.
    4. Run a full system scan and delete all the files detected as W32.Mydoom.A@mm.
    5. Delete the values that were added to the registry.
    6. Reregister the webcheck.dll file. (This will remove the registry modifications responsible for loading Shimgapi.dll.)
    For specific details on each of these steps, read the following instructions.

    1. Disabling System Restore (Windows Me/XP)
    If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

    Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

    Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

    For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
    Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

    For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

    2. Updating the virus definitions
    Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
    • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
    • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

      The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

    3. Restarting the computer in Safe mode or VGA mode

    Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
    • For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
    • For Windows NT 4 users, restart the computer in VGA mode.

    4. Scanning for and deleting the infected files
    1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    2. Run a full system scan.
    3. If any files are detected as infected with W32.Mydoom.A@mm, click Delete.

    5. Deleting the values from the registry


    WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
    1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type regedit

      Then click OK. (The Registry Editor opens.)

    3. Navigate to each of these keys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, delete the value:

      "Taskmon"="%System%\taskmon.exe"


      Note: %System% is a variable that refers to the location of the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    5. Exit the Registry Editor.

    6. Reregistering the Webcheck.dll file
    (This will remove the registry modifications responsible for loading Shimgapi.dll.)
    1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type, or copy and paste, the following text:

      regsvr32 webcheck.dll

    3. Click OK. When you see the message, "DllRegisterServer in webcheck.dll
      succeeded," click OK.

    Additional information:

    When W32.Mydoom.A@mm sends email, it avoids distributing to the domains that contain any of the following strings:

    • avp
    • syma
    • icrosof
    • msn.
    • hotmail
    • panda
    • sopho
    • borlan
    • inpris
    • example
    • mydomai
    • nodomai
    • ruslis
    • .gov
    • gov.
    • .mil
    • foo.
    • berkeley
    • unix
    • math
    • bsd
    • mit.e
    • gnu
    • fsf.
    • ibm.com
    • google
    • kernel
    • linux
    • fido
    • usenet
    • iana
    • ietf
    • rfc-ed
    • sendmail
    • arin.
    • ripe.
    • isi.e
    • isc.o
    • secur
    • acketst
    • pgp
    • tanford.e
    • utgers.ed
    • mozilla


      accounts that match any of the following strings:
    • root
    • info
    • samples
    • postmaster
    • webmaster
    • noone
    • nobody
    • nothing
    • anyone
    • someone
    • your
    • you
    • me
    • bugs
    • rating
    • site
    • contact
    • soft
    • no
    • somebody
    • privacy
    • service
    • help
    • not
    • submit
    • feste
    • ca
    • gold-certs
    • the.bat
    • page


      or accounts that contain any of the following strings:
    • admin
    • icrosoft
    • support
    • ntivi
    • unix
    • bsd
    • linux
    • listserv
    • certific
    • google
    • accoun


    The worm also prepends any of the following names to the domain name obtained:
    • adam
    • alex
    • alice
    • andrew
    • anna
    • bill
    • bob
    • brenda
    • brent
    • brian
    • claudia
    • dan
    • dave
    • david
    • debby
    • fred
    • george
    • helen
    • jack
    • james
    • jane
    • jerry
    • jim
    • jimmy
    • joe
    • john
    • jose
    • julie
    • kevin
    • leo
    • linda
    • maria
    • mary
    • matt
    • michael
    • mike
    • peter
    • ray
    • robert
    • sam
    • sandra
    • serg
    • smith
    • stan
    • steve
    • ted
    • tom

    Revision History:

    • March 30, 2004: Downgraded from Category 3 to Category 2 based on decreased rate of submissions.
    • February 26, 2004: Downgraded from Category 4 to Category 3 based on decreased rate of submissions.
    • February 5, 2004: Add Symantec Client Security updates.
    • February 3, 2004:
      • Renamed to W32.Mydoom.A@mm from W32.Novarg.A@mm.
      • Added Norton Internet Security and Norton Personal Firewall updates
    • January 27, 2004:
      • Updated document with link to removal tool for W32.Novarg.A@mm.
      • Updated alias information.
      • Added reference to Symantec HIDS update.
    • January 30, 2004: Changed manual removal to use the regsvr32 command to reregister the webcheck.dll file rather than do this in the registry.
    • January 31, 2004:
      • Added information regarding additionally spawned threads to perform a DoS attack.
      • Added information regarding the time at which an attack starts.
      • Added information regarding the 25% chance that a worm will perform a DoS attack.
      • Added Symantec ManHunt and SGS updates.

    Dr. Doom

    Victor von Doom was born in the Balkan nation of Latveria to Werner von Doom, a gypsy healer, and Cynthia von Doom, a witch. While Victor was still an infant, his mother was killed by a Latverian guardsman when her spell to rid Latveria of tyranny went horribly awry. Later, when Victor was still a child, his father was hunted by the authorities for his failure to cure the ruling baron's wife of terminal cancer. Werner von Doom and his son fled, but the father died of exposure to cold. Anguished by his father's death, the young von Doom vowed to make the entire world pay for the loss of his parents.

    While in the care of Boris, a friend of his father's, the young von Doom discovered his mother's legacy to him: a chest containing herbs, medicines, and objects said to have magical powers. He saw these artifacts as his means to gaining power and began learning their uses. Von Doom also began developing his own innate scientific abilities. For years he traveled the countryside, peddling clever devices and potions he had created to the gullible, knowing that they would turn worthless soon after he left. Meanwhile, he continued to increase his knowledge, creating robotic duplicates and fantastic weaponry to elude capture and protect his gypsy people. As his obsession with gaining power and vengeance grew, von Doom became increasingly distant from his childhood sweetheart, a young beautiful gypsy woman named Valeria, much to her distress.

    The dean of science at State University in America heard of von Doom's astounding reputation and offered him a scholarship. Travelling to America to take advantage of the university's lab facilities, von Doom met Reed Richards, a brilliant science student, and the two became intellectual rivals. Sometime later, von Doom was in the midst of testing a device for interdimensional communication in order to breach the spirit world to contact the spirit of his dead mother. Von Doom refused to heed the warnings of Richards, who had seen a mistake in von Doom's calculations, and the machine malfunctioned and exploded, injuring von Doom. While convalescing, von Doom was expelled from the university and formed the irrational belief that Richards was responsible for the machine's failure.

    Believing that his injuries were disfiguring (a fact that remains an unsubstantiated mystery) Doom left America for the remoteness of Tibet where he hoped to find both refuge from the sight of man and the hidden secrets of sorcery. Discovered by the Aged Genghis, he was taken in by a group of monks and lived with them for a number of years, learning their secrets and eventually becoming their master. The monks helped him create a suit of armor and metal mask which he now wore in his new guise as Doctor Doom, in which he intended to conquer the world. In his haste, von Doom donned his newly cast mask before it had completely cooled, thereby permanently damaging his entire face.

    Leaving the monks, the self-styled Doctor Doom returned to Latveria and worked his way into favor of the ruling King Vladimir as his scientific advisor. He manipulated events with a robotic duplicate of Prince Rudolpho so that the king was assassinated and "Rudolpho" abdicated the throne to the "stronger and more able" von Doom. Doom established a nation of peace and prosperity ruled by a stern dictatorship under his name as "The Master." Sequestered in the royal castle of Doomstadt, he began to use his mastery of science to create the means to achieve further conquests.

    Of course, Doom is a perennial foe of the Fantastic Four. His dealings with Iron Man involved two memorable two-parters by David Michelinie and Bob Layton. In the first (IM #149-150), von Doom needs Stark components to boost his time platform. When Iron Man travels to Latveria to reacquire a few of the electronics that were mistakenly shipped, the two do battle, natch! But, Doom's servant, the scientist Hauptmann, activates Doom's time platform while the duo are on top of it -- zapping them back to the 12th century! There, IM teams up with King Arthur and his court, while Doom sides with the evil Morgana Le Fey. The opposing sides do epic battle, the former ultimately winning out. Doom then proposes that he and IM work together to cannibalize their armors' systems in order to construct a crude time device which will return them to the present! They of course succeed!

    In their second encounter (IM #249-250), two mysterious powerful objects appear -- one in Latveria and the other at Stark Enterprises in California. Doc Doom wants both of them, so he personally travels to SE to bargain with Stark. When Stark gives the obvious "no," Doc gives fair warning. Doom's robots attack SE soon after and Doc obtains the Stark half of the artifact. He soon connects the two halves, and a mysterious black light begins to ooze out of it. Just then, IM arrives for the stolen half -- but the black light envelopes both he and Doom! They are transported to the future, the year 2093! A clone of King Arthur is reborn and along with his magician Merlin must save the future Earth from extinction! The two have summoned Doom and IM to assist. They find they must battle two counterparts of themselves -- Iron Man against a descendant known as Andros Stark in the Iron Man 2020 armor, and Doom vs. himself, kept alive via various mechanical devices! Once the danger is dealt with, the two are promptly returned to the present.

    First IM Appearance: Iron Man #102 (in Dreadknight flashbacks).

    (Some info and pic courtesy of the online Unofficial Marvel Handbook
    to the Marvel Universe.)
     

    BACK to Villains main page

    HOME

    Enter supporting content here

    HOME