MYDOOM

More Doom?

The infection rate for the world’s fastest growing email virus ever is subsiding, but security experts say the risk of new attacks is not

Steve Marcus / Reuters

The MyDoom-B virus is set up to launch coordinated attacks on Microsoft from the computers it infects

WEB EXCLUSIVE

By Jennifer Barrett

Updated: 4:23 p.m. ET Feb. 3, 2004

It was nearly 4 p.m. last Monday when the first suspicious-looking email popped up on Richard Wang’s computer screen. Ten minutes later, a similar message arrived with the familiar “error” subject line and an icon indicating an attachment. The next arrived two minutes later. As a virus researcher at security firm Sophos’s new anti-virus lab in Massachusetts, Wang sorts through a lot of suspect email each day—most of it forwarded by customers or other security firms to be examined. “But once you see three or four of these in that short a time period, you start to think this is going to be something big,” he says. By the time the fourth email arrived, Wang remembers thinking, “I’m going to be late for dinner tonight.”

Meanwhile, on the West Coast, his counterpart at McAfee Avert, Craig Schmugar, was seeing two to four new suspicious-looking emails every time he refreshed his screen. “There was a sudden rush in emails we had never seen before,” says Schmugar, who is credited with co-discovering the virus. He named it MyDoom after spotting a line of text that included “mydom” (short for “my domain") in the virus code. “ It was evident early on that this would be very big,” he says. “I thought having `doom’ in the name would be appropriate.”

Was it ever. MyDoom—and its variation, MyDoom-B, released two days later—soon become the fastest spreading email virus in Internet history, extending into more than two dozen countries and infecting at least 500,000 machines over the past week. According to the security firm mi2g, damage estimates from the virus now range as high as $38.5 billion, taking into account everything from overtime pay to loss of business and bandwidth, as well as the cost of recovery and software upgrades. While some say that estimate may be too high, security analysts agree that the damage is in the billions.

And the worm’s work isn’t done yet.

Unlike some past viruses, MyDoom isn’t aimed at disabling victims’ computers or erasing their files (though it does disrupt email service and prevents victims from contacting many of the Web sites that offer anti-virus protection.) In fact, victims may not even be aware that their computer has been infected unless they run an anti-virus scan.

“The worst viruses [like MyDoom],” says Wang, “aren’t interested in messing up your personal files or crashing your email system. They want to steal your bandwidth—take over your computer, basically—to use your PC for nefarious purposes, so it can’t be tracked back to theirs.”

The MyDoom worm was designed to launch later attacks from infected computers against two corporate targets: the SCO Group and Microsoft. SCO, a Utah-based software maker, earned the ire of Linux lovers—and became a regular target of attacks last year—for launching a patent claim against the freely available operating system. And as the world’s largest software maker, Microsoft is also a common target of hackers and virus writers.

MyDoom launched its first wave of attacks from an estimated 50,000 or more infected computers that were turned on this weekend. It was enough to shut down the SCO Group’s Web site. Microsoft was bracing itself Tuesday for the launch of similar, if fewer, denial-of-service attacks from MyDoom-B, which is set to run through the end of the month. The company even preemptively set up a back-up site just in case its main site is disabled. “We are doing everything we can to ensure that Microsoft properties remain fully available to our customers,” says Stephen Toulouse, security program manager at the Microsoft Security Response Center.

That includes offering a $250,000 reward for information leading to the capture of whoever is behind the MyDoom attack—a reward SCO is offering as well. Microsoft has offered the quarter-million-dollar rewards only twice before, for those behind last year’s MSBlast.A worm and Sobig virus. The offers are part of its new Anti-Virus Reward Program, launched late last fall with $5 million. Still, despite the rewards, and the FBI’s participation in the investigation into the MyDoom worm, no suspect has yet been identified.

And Jeff Carlon, director of worldwide IT infrastructure at the SCO Group, predicts hundreds more attacks on his Web site through next Thursday, when the first worm expires. Through a statement, he said the company “has developed layers of contingency plans to communicate with our valued customers, resellers, developers, partners and shareholders.” That includes directing customers to a new Web site (thescogroup.com) as its technicians work to bring the original site back online.

For the most part though, security experts say the worst may be over. The number of new MyDoom infections has dropped significantly in the past few days to about one-third the rate of reported infections happening a week ago, according to the anti-virus software firm Symantec. McAfee’s Schmugar says the number of those computers cleaning out the virus is now higher than those reporting new infections.

But don’t breathe too easy yet.

“Unfortunately, one thing you can predict is that you will see more medium to high threats like this coming through this year,” says Vincent Weafer, senior director for Symantec Security Response. Home users and small businesses are particularly vulnerable.

“They remember and are diligent about updating their protection after an attack, but then they forget about it,” says Weafer.

Schmugar agrees. “MyDoom has gotten press and that raises awareness for a period of time but it’s hard to say how long that will last,” he says. “We’ve learned that people are aware for some period of time and then it fades and they go back to—I don’t want to say a false sense of security—but to their previous comfort level, perhaps. More people open an attachment they might not otherwise.”

And that may be all it takes to unleash the next MyDoom.

F-Secure Virus Descriptions : Mydoom

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

NAME: Mydoom

ALIAS: Shimgapi, Novarg, W32/Mydoom.A@mm

SIZE: 22528

Update on February 12th, 2004
F-Secure is downgrading the alert level on Mydoom.A since it reached its deadline.
The worm was programmed to stop spreading after February 12th, 2004.
Update on February 10th, 2004
A new minor variant of Mydoom was found on 10th of February 2004. We detect it automatically as "Mydoom.A". Some other products might detect it as "Mydoom.D". It's the original Mydoom with a different packer applied to it, and one of the messages it sends has been patched to say "ROFL HELLO SAM HOWS UPZ. Partial message is available."
Update on January 27th, 2004
F-Secure is upgrading the Mydoom (Novarg) worm to Level 1 because of increased infection reports around the world. The worm sends email attachments with a random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension.
Attack follow-up
F-Secure researchers will be monitoring the launch of the DDoS attack against SCO.COM on 1st of February, 2004. We'll post our findings to our weblog at: http://www.f-secure.com/weblog/

Summary

Mydoom is a worm that spreads over email and Kazaa p2p network. When executed, the worm opens up Windows' Notepad with garbage data in it. In emails, it uses variable subjects, bodies and attachment names. It also performs a Distributed Denial-of-Service attack on www.sco.com. This attack starts on 1st of February.
The worm opens up a backdoor to infected computers. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE.
Mydoom is programmed to stop spreading on February 12th.
For information on the B variant of Mydoom, see: http://www.f-secure.com/v-descs/mydoom_b.shtml

Disinfection

Special Disinfection Tool
F-Secure has developed a special disinfection tool for this worm. The tool will detect and remove an active Mydoom infection from the computer.
The Mydoom removal tool can be downloaded in a ZIP file from:
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.zip
http://www.f-secure.com/tools/f-mydoom.zip
The unpacked version is available from:
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.exe
http://www.f-secure.com/tools/f-mydoom.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.txt
http://www.f-secure.com/tools/f-mydoom.txt
System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.
System administrators can download the JAR version from:
http://www.f-secure.com/tools/f-mydoom.jar
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoom.jar
Manual Disinfection
Manual disinfection of Mydoom consists of the following steps:
1, Delete the registry value and restart the computer:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon]

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32]

2, Delete the worm from the Windows System Directory:
%SysDir%\taskmon.exe

and its backdoor component from:
%SysDir%\shimgapi.dll

Back to the Top

Detailed Description

The worm encrypts most of the strings in it's UPX-packed body with ROT13 method, i.e. the characters are rotated 13 locations to the right in the abecedary, starting from the beginning if the position is beyond the last letter.
When run the worm will create a mutex with the name "SwebSipcSmtxSO" to ensure only one instance of itself is running at the same time.
The worm will launch a Notepad window with garbage contents.

The worm will copy itself to the Windows System folder as 'taskmon.exe' and adds a entry in the registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "TaskMon" = %sysdir%\taskmon.exe

or, if it fails:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "TaskMon" = %sysdir%\taskmon.exe

So it's run every time Windows starts up.
It drops another file, contained encoded in its body and packed with UPX as:
%sysdir%\shimgapi.dll

This file will sequentially open TCP ports from 3127 to 3198, listening on them for incoming connections. One of the possibilities this backdoor offers is to receive an additional executable and run it on the already infected machine.
Expiration date.
When the worm is executed in a date after the Sunday 12th of February 2004 it will exit immediately, without performing any further actions. It will not, however, uninstall itself.
Peer-to-Peer Spreading
The worm will look up form the Windows' Registry the value containing the users Kazaa shared folder, and it will copy itself to that location with a filename composed from the following list:
winamp5 icq2004-final activation_crack strip-girl-2.0bdcom_patches rootkitXP office_crack nuke2004

And extensions chosen from:
.bat .exe .scr .pif

Mail Propagation

The worm collects addresses where to send itself from Windows' Address Book and from files with extension:
pl adb tbb dbx asp php sht htm txt

It try to bypass simple anti-spam protections i.e., like substituting the '@' symbol for ' at ' and several other combinations.
E-Mail messages sent by the worm have the following characteristics:
Subjects can be any of the following:
test hi hello Mail Delivery System Mail Transaction Failed Server Report Status Error

Body is one of the following:
test

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The message contains Unicode characters and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

Attachments are composed combining the following names:
document readme doc text file data test message body

with the following extensions:
pif scr exe cmd bat zip

The ZIP file itself is not harmful when doubleclicked. Inside the zip you have a copy of the worm, sharing the same file name as the .zip. For example, message.zip contains message.exe.
The sizes of the ZIP files vary, but it's typically around 22kB. The infected file inside the zip can have double extensions, like "body.htm .pif".
The final message might look like presented in the following picture:

Payload
When the machine is booted after the Sunday 1st of February at 16:09:18 (UTC) (always according to the infected system's clock). A DDoS attack will be launched against SCO website.
The worm will launch 64 threads, each of them requesting the main page of the website www.sco.com. This process of requesting simultaneously 64 times the page will be repeated roughly every second (1024 milliseconds) from each of the infected machines throughout the globe. The request is a simple "GET / HTTP/1.1", aimed to overload their webserver.

Backdoor
The backdoor component of Mydoom.A is dropped to the System Directory with the filename 'shimgapi.dll'. The file is added to the registy as:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32]

This registry value makes Explorer to load the DLL as an extension so it is not visible as a separate process in Task Manager.
The backdoor listens on the first available TCP port between 3127 and 3198. Connecting to that port a remote attacker can
- use the infected computer as a TCP proxy
- upload and execute arbitrary executables to the infected computer

Back to the Top

Detection

Detection in F-Secure Anti-Virus was published on January 26th, 2004 at 23:09 UTC in update:
[FSAV_Database_Version]
Version=2004-01-27_01
As download speeds for regular updates might be slow, you can download detection for Mydoom directly from here:
ftp://ftp.f-secure.com/anti-virus/updates/fsupdate.exe
Blocking the worm on the mail server
Considering the large volume of the infected emails sent by Mydoom.A mail server administrators might want to block the worm from entering their mail servers as early as possible.
The ZIP versions of the worm can be detected by matching the first line of the MIME encoded attachment against one of the following regular expressions
'^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA' '^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA'

Please note that the '+' sign might or might not need the \ escaping depending on the regular expression implementation.
If either of the expressions match the email contains the ZIP compressed version of the worm and can be rejected.
The EXE version can be detected with the presence of the following four consecutive lines in the MIME body:
'QWRuwhLeZHJyFsetbllrtEilOBwrJ8OYMXsTGWAEvKwwhG6qzQlpQXePs2GNRklxNWtlZBN2agul' 'YxILFUnSmWGSblIi5FUzNsGwsPXUQpMmSx2FFJx5orXascf4NmeMS2V5DE9wTd069+gLRSQOOlaN' 'dWVhBwCGDyQRCTN3KaZ1bTAMr63ZbLM/ZMIIAW2j7rQ1zHNlomp3QxDz2N8MAwdpc2RpZ2kZdXBw' 'c83NthF4EglmWwg4zVb4c3BhS0/NLFjA/nubVS9CdWZmQQ8LZ9qOPExvd3d2OXK2I1GYbdh3CkfY'

Back to the Top

Description: Mikko Hypponen, Katrin Tocheva, Sami Rautiainen; January 27th, 2004
Technical Details: Ero Carrera and Gergely Erdelyi; January 28th, 2004
F-Secure Corporation

Virus information
W32/MyDoom-A

Summary

Summary Description Recovery

Profile

Name W32/MyDoom-A

Type

Worm

Aliases

Mimail.R
Novarg.A
Shimg
W32.Novarg.A@mm
W32/Mydoom@MM

Protection

Protection available since 27 January 2004 00:31:29 (GMT)

Included in our products from March 2004 (3.79)

Staying up to date

EM Library, part of the Enterprise Manager suite of management tools, allows fully automated web-based installation and updating of Sophos Anti-Virus on a wide range of platforms. If you're using one of our enterprise solutions and aren't already using EM Library, check it out now. Users of our small business solutions are automatically updated by Sophos AutoUpdate.

Description

Summary Description Recovery

This section helps you to understand how it behaves

W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from address
books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP,
ASP, DBX, TBB, ADB and PL.

W32/MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters.

W32/MyDoom-A 'spoofs', using randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics.

Subject lines
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Message texts
test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

Attachment filenames
body
data
doc
document
file
message
readme
test
[random collection of characters]

Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.

W32/MyDoom-A is programmed to not forward itself via email if the recipient email address satisfies various conditions:

The worm will not send itself to email addresses belonging to domains containing the following strings: acketst, arin., avp, berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o, isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai, panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma, tanford.e, unix, usenet, utgers.ed
As a consequence the worm does not forward itself to a number of email domains, including several anti-virus companies and Microsoft.

The worm will not send itself to email addresses in which the username contains the following strings: abuse, anyone, bugs, ca, contact, feste, gold-certs, help, info, me, no, noone, nobody, not, nothing, page, postmaster, privacy, rating, root, samples, secur, service, site, spm, soft, somebody, someone, submit, the.bat, webmaster, you, your, www

The worm will not send itself to email addresses which contain the the following strings: admin, accoun, bsd, certific, google, icrosoft, linux, listserv, ntivi, spam, support, unix

The worm can also copy itself into the shared folder of the KaZaA peer-to-peer application with one of the following filenames and a PIF, EXE, SCR or BAT extension:
activation_crack icq2004-final nuke2004 office_crack rootkitXP strip-girl-2.0bdcom_patches winamp5
W32/MyDoom-A creates a file called taskmon.exe in the system or temp folder and adds the following registry entry to run this file every time Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe

Please note that on Windows 95/98/Me, there is a legitimate file called taskmon.exe in the Windows folder.

W32/MyDoom-A also drops a file named shimgapi.dll to the temp or system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 3127. The DLL adds the following registry entry so that it is run on startup:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= "<location of dll>"

The worm will also add the following entries to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

Between the 1st and 12th February 2004, the worm will attempt a denial-of-service attempt to www.sco.com, sending numerous GET requests to the web server.

After the 12th February W32/MyDoom-A will no longer spread, due to an expiry date set in the code. It will, however, still run the backdoor component.

Further reading: MyDoom worm spreads widely across internet, Sophos warns users to be wary of viral email and hacker attack

Recovery

Summary Description Recovery

This section tells you how to disinfect.

Please read the instructions for removing W32/MyDoom-A.

© 1997-2005 Sophos Plc. All rights reserved. Legal | Privacy

W32.Mydoom.A@mm

Discovered on: January 26, 2004

Last Updated on: July 27, 2004 11:53:34 AM

Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 3 to a Category 2 rating as of March 30, 2004.
W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

In addition, the backdoor can download and execute arbitrary files.

There is a 25% chance that a computer infected by the worm will perform a Denial of Service (DoS) on February 1, 2004 starting at 16:09:18 UTC, which is also the same as 08:09:18 PST, based on the machine's local system date/time. If the worm does start the DoS attack, it will not mass mail itself. It also has a trigger date to stop spreading/DoS-attacking on February 12, 2004. While the worm will stop on February 12, 2004, the backdoor component will continue to function after this date.

Notes:

Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
Virus definitions dated prior to February 4, 2004 will detect this threat as W32.Novarg.A@mm.

Also Known As: W32.Novarg.A@mm, W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], Win32.Mydoom.A [Computer Associates], W32/Mydoom-A [Sophos], I-Worm.Novarg [Kaspersky]

Type: Worm

Infection Length: 22,528 bytes, variable file size for a .zip attachment

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

Virus Definitions (Intelligent Updater) *

January 26, 2004

Virus Definitions (LiveUpdate™) **

January 26, 2004

*

Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**

LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

Wild

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Moderate

Threat Metrics

Wild:
Low

Damage:
Medium

Distribution:
High

Damage

Payload Trigger: n/a
Payload: n/a

Large scale e-mailing: Sends to email addresses found in a specified set of files.
Deletes files: n/a
Modifies files: n/a
Degrades performance: Performs DoS against www.sco.com.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Allows unauthorized remote access.

Distribution

Subject of email: Varies
Name of attachment: Varies with an extension of .pif, .scr, .exe, .cmd, .bat, or .zip.
Size of attachment: 22,528 bytes (varies if it is in .zip format)
Time stamp of attachment: n/a
Ports: TCP 3127-3198
Shared drives: n/a
Target of infection: n/a

When W32.Mydoom.A@mm is executed, it does the following:

Creates the following files:

%System%\Shimgapi.dll: Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.
%Temp%\Message: This file contains random letters and is displayed using Notepad.
%System%\Taskmon.exe.

Notes:
Taskmon.exe is a legitimate file in the Windows 95/98/Me operating systems, but is in the %Windir% folder, not the %System% folder. (By default, this is C:\Windows or C:\Winnt.) Do not delete the legitimate file in the %Windir% folder.
%System% is a variable: The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Temp% is a variable: The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows NT/2000), or C:\Document and Settings\<UserName>\Local Settings\Temp (Windows XP).

Adds the value:

"(Default)" = "%System%\shimgapi.dll"

to the registry key:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

so that Explorer.exe loads Shimgapi.dll.

Adds the value:

"TaskMon" = "%System%\taskmon.exe"

to the registry keys:

HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that TaskMon is run when you start Windows.

Checks the system date, and if the date is between February 1, 2004 and February 12, 2004, there is a 25% chance the worm will perform a DoS attack against www.sco.com. The DoS is performed by creating 63 new threads that send GET requests and use a direct connection to port 80. The worm will not mass mail itself if the DoS attack is triggered.

Notes:

The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack.
Due to the way the worm verifies the system date, the DoS will only be executed on 25% of infected computers.
The DoS will only occur when the system date is checked during the initial infection, or if the computer is restarted.
The worm will use local DNS settings to resolve the domain name used in the DoS attack (www.sco.com).

Creates the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\Version HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\Version

Searches for the email addresses in the files with the following extensions:

.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt

Attempts to send email messages using its own SMTP engine. The worm looks up the mail server that the recipient uses before sending the email. If it is unsuccessful, it will use the local mail server instead. The email will have the following characteristics:

From: The "From" address may be spoofed.

Subject: The subject will be one of the following:
test hi hello Mail Delivery System Mail Transaction Failed Server Report Status ErrorMessage: The message will be one of the following:
Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. testAttachment: The attachment file name, not including the extension, will be one of the following:
document
readme
doc
text
file
data
test
message
body

The attached file may have either one or two file extensions. If it does have two, the first extension will be one of the following:
.htm
.txt
.doc

The second extension, or the only extension if there is only one, will be one of the following:
.pif
.scr
.exe
.cmd
.bat
.zip (This is an actual .zip file that contains a copy of the worm, sharing the same file name as the .zip. For example, readme.zip can contain readme.exe.)

If the worm has an extension of .exe or .scr, the file will be displayed with the following icon:

For all the other file extensions, it will use the icon for that file type.

Copies itself to the Kazaa download folder as one of the following files:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with a file extension of:

.pif
.scr
.bat
.exe

Symantec Client Security

Antivirus component: An update for the Symantec Client Security AntiVirus engine to protect against the W32.Mydoom.A@mm/W32.Novarg.A@mm worm has been available for several days via LiveUpdate (see above).
Symantec Client Firewall: Symantec Client Firewall ships with the default ruleset as "High: Block everything until you allow it." It will notify the user of the exploit backdoor connection and prompt the user to Permit, Block, or Customize a rule for that connection attempt opened by the virus MyDoom/Novarg.

Symantec Gateway Security 1.0
An update for the Symantec Gateway Security IDS/IPS engine to protect against the W32.Mydoom.A@mm worm has been posted as of 9:24 PM PST 1/30/04. Symantec Gateway Security administrators are advised to run LiveUpdate to ensure protection against this threat.

Symantec Gateway Security 2.0
An update for the Symantec Gateway Security IDS/IPS engine to protect against the W32.Mydoom.A@mm worm has been posted as of 3:02 PM PST 1/29/04. Symantec Gateway Security administrators are advised to run LiveUpdate to ensure protection against this threat.

Intruder Alert
Symantec has released the Intruder Alert 3.6 W32_Novarg_Worm Policy.

Symantec HIDS 4.1.1
Symantec released a LiveUpdate package on January 27, 2004 for users of Symantec HIDS 4.1.1. See the Symantec Host IDS 4.1.1 Security Update 1 for additional information.

Symantec ManHunt
Security Update 17 has been released to provide signatures specific to the backdoor activity associated with the W32.Mydoom.A@mm Worm.

DoS detection via ManHunt Flow Alert Rules: The Symantec Network IDS team recommends that administrators use the Flow Alert Rule feature to log events for suspicious traffic to the SCO Web site on 2/1/2004 and the Microsoft Web site on 2/3/2004. For detailed instructions, read the Symantec Knowledge Base at: http://service1.symantec.com/SUPPORT/intrusiondetectkb.nsf/docid/2004012813061253

In addition, Symantec ManHunt 2.2/3.0/3.01 customers can apply the following signature to detect the attempted DoS against www.sco.com. This DoS will start occurring on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading. This signature will help in determining from which machines the request is being made.

*******************start file********************

alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET / HTTP/1.1|0d0a|Host: www.sco.com|0d0a0d0a|"; offset:0; dsize:37;)

*************EOF*********************

For more information on creating custom signatures, refer to the "Symantec ManHunt Administrative Guide: Appendix A Custom Signatures for HYBRID Mode."

Symantec Security Response offers these suggestions on how to configure Symantec products in order to minimize your exposure to this threat.

Symantec Gateway Security

Turn on AV scanning for smtpd.
Make sure that no TCP port(s) within 3127-3198 are opened (by default, they are not). This will prevent propagation.
Configure a deny filter or deny rule for www.sco.com and/or 216.250.128.12
Configure the Content Filtering mechanism to block www.sco.com and/or 216.250.128.12.

Symantec Enterprise Firewall

Offload AV scanning for all smtp traffic.
Make sure that no TCP port(s) within 3127-3198 are opened (by default, they are not). This will prevent propagation.
Configure a deny filter or deny rule for www.sco.com and/or 216.250.128.12
Configure the Content Filtering mechanism to block www.sco.com and/or 216.250.128.12

Norton Internet Security

Run LiveUpdate to download the latest virus definitions.
Check to make sure AutoProtect is enabled and if it is not, enable it. AutoProtect is enabled by default.
Use Norton AntiVirus to scan for viruses.
Create a Trojan Rule to block inbound TCP from port 3127 to 3198. This will prevent propagation.
Configure a General Rule to deny outbound TCP communication with www.sco.com and/or 216.250.128.12. Note that with this rule configured, users will not be able to access www.sco.com. Users will need to disable the rules in order to communicate with www.sco.com.

Norton Personal Firewall

Create a Trojan Rule to block inbound TCP from port 3127 to 3198. This will prevent propagation.
Configure a General Rule to deny outbound TCP communication with www.sco.com and/or 216.250.128.12. Note that with this rule configured, users will not be able to access www.sco.com. Users will need to disable the rules in order to communicate with www.sco.com.

Symantec Client Security

Run LiveUpdate to download the latest virus definitions.
Check to make sure AutoProtect is enabled and if it is not, enable it. AutoProtect is enabled by default.
Use Symantec AntiVirus to scan for viruses.
Create a Trojan Rule to block inbound TCP from port 3127 to 3198. This will prevent propagation.
Configure a General Rule to deny outbound TCP communication with www.sco.com and/or 216.250.128.12. Note that with this rule configured, users will not be able to access www.sco.com. Users will need to disable the rules in order to communicate with www.sco.com.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Removal using the Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Mydoom.A@mm. This is the preferred method in most cases.

Manual Removal
Perform a manual removal if you cannot obtain the tool.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as W32.Mydoom.A@mm.
Delete the values that were added to the registry.
Reregister the webcheck.dll file. (This will remove the registry modifications responsible for loading Shimgapi.dll.)
For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.

For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
For Windows NT 4 users, restart the computer in VGA mode.

4. Scanning for and deleting the infected files

Start your Symantec antivirus program and make sure that it is configured to scan all the files.

For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."

Run a full system scan.
If any files are detected as infected with W32.Mydoom.A@mm, click Delete.

5. Deleting the values from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)

Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to each of these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:

"Taskmon"="%System%\taskmon.exe"

Note: %System% is a variable that refers to the location of the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Exit the Registry Editor.

6. Reregistering the Webcheck.dll file
(This will remove the registry modifications responsible for loading Shimgapi.dll.)

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:regsvr32 webcheck.dll
Click OK. When you see the message, "DllRegisterServer in webcheck.dll
succeeded," click OK.

Additional information:

When W32.Mydoom.A@mm sends email, it avoids distributing to the domains that contain any of the following strings:

avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla

accounts that match any of the following strings:

root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page

or accounts that contain any of the following strings:

admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun

The worm also prepends any of the following names to the domain name obtained:

adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

Revision History:

March 30, 2004: Downgraded from Category 3 to Category 2 based on decreased rate of submissions.
February 26, 2004: Downgraded from Category 4 to Category 3 based on decreased rate of submissions.
February 5, 2004: Add Symantec Client Security updates.
February 3, 2004:

Renamed to W32.Mydoom.A@mm from W32.Novarg.A@mm.
Added Norton Internet Security and Norton Personal Firewall updates

January 27, 2004:

Updated document with link to removal tool for W32.Novarg.A@mm.
Updated alias information.
Added reference to Symantec HIDS update.

January 30, 2004: Changed manual removal to use the regsvr32 command to reregister the webcheck.dll file rather than do this in the registry.
January 31, 2004:

Added information regarding additionally spawned threads to perform a DoS attack.
Added information regarding the time at which an attack starts.
Added information regarding the 25% chance that a worm will perform a DoS attack.
Added Symantec ManHunt and SGS updates.

Dr. Doom

Victor von Doom was born in the Balkan nation of Latveria to Werner von Doom, a gypsy healer, and Cynthia von Doom, a witch. While Victor was still an infant, his mother was killed by a Latverian guardsman when her spell to rid Latveria of tyranny went horribly awry. Later, when Victor was still a child, his father was hunted by the authorities for his failure to cure the ruling baron's wife of terminal cancer. Werner von Doom and his son fled, but the father died of exposure to cold. Anguished by his father's death, the young von Doom vowed to make the entire world pay for the loss of his parents.

While in the care of Boris, a friend of his father's, the young von Doom discovered his mother's legacy to him: a chest containing herbs, medicines, and objects said to have magical powers. He saw these artifacts as his means to gaining power and began learning their uses. Von Doom also began developing his own innate scientific abilities. For years he traveled the countryside, peddling clever devices and potions he had created to the gullible, knowing that they would turn worthless soon after he left. Meanwhile, he continued to increase his knowledge, creating robotic duplicates and fantastic weaponry to elude capture and protect his gypsy people. As his obsession with gaining power and vengeance grew, von Doom became increasingly distant from his childhood sweetheart, a young beautiful gypsy woman named Valeria, much to her distress.

The dean of science at State University in America heard of von Doom's astounding reputation and offered him a scholarship. Travelling to America to take advantage of the university's lab facilities, von Doom met Reed Richards, a brilliant science student, and the two became intellectual rivals. Sometime later, von Doom was in the midst of testing a device for interdimensional communication in order to breach the spirit world to contact the spirit of his dead mother. Von Doom refused to heed the warnings of Richards, who had seen a mistake in von Doom's calculations, and the machine malfunctioned and exploded, injuring von Doom. While convalescing, von Doom was expelled from the university and formed the irrational belief that Richards was responsible for the machine's failure.

Believing that his injuries were disfiguring (a fact that remains an unsubstantiated mystery) Doom left America for the remoteness of Tibet where he hoped to find both refuge from the sight of man and the hidden secrets of sorcery. Discovered by the Aged Genghis, he was taken in by a group of monks and lived with them for a number of years, learning their secrets and eventually becoming their master. The monks helped him create a suit of armor and metal mask which he now wore in his new guise as Doctor Doom, in which he intended to conquer the world. In his haste, von Doom donned his newly cast mask before it had completely cooled, thereby permanently damaging his entire face.

Leaving the monks, the self-styled Doctor Doom returned to Latveria and worked his way into favor of the ruling King Vladimir as his scientific advisor. He manipulated events with a robotic duplicate of Prince Rudolpho so that the king was assassinated and "Rudolpho" abdicated the throne to the "stronger and more able" von Doom. Doom established a nation of peace and prosperity ruled by a stern dictatorship under his name as "The Master." Sequestered in the royal castle of Doomstadt, he began to use his mastery of science to create the means to achieve further conquests.

Of course, Doom is a perennial foe of the Fantastic Four. His dealings with Iron Man involved two memorable two-parters by David Michelinie and Bob Layton. In the first (IM #149-150), von Doom needs Stark components to boost his time platform. When Iron Man travels to Latveria to reacquire a few of the electronics that were mistakenly shipped, the two do battle, natch! But, Doom's servant, the scientist Hauptmann, activates Doom's time platform while the duo are on top of it -- zapping them back to the 12th century! There, IM teams up with King Arthur and his court, while Doom sides with the evil Morgana Le Fey. The opposing sides do epic battle, the former ultimately winning out. Doom then proposes that he and IM work together to cannibalize their armors' systems in order to construct a crude time device which will return them to the present! They of course succeed!

In their second encounter (IM #249-250), two mysterious powerful objects appear -- one in Latveria and the other at Stark Enterprises in California. Doc Doom wants both of them, so he personally travels to SE to bargain with Stark. When Stark gives the obvious "no," Doc gives fair warning. Doom's robots attack SE soon after and Doc obtains the Stark half of the artifact. He soon connects the two halves, and a mysterious black light begins to ooze out of it. Just then, IM arrives for the stolen half -- but the black light envelopes both he and Doom! They are transported to the future, the year 2093! A clone of King Arthur is reborn and along with his magician Merlin must save the future Earth from extinction! The two have summoned Doom and IM to assist. They find they must battle two counterparts of themselves -- Iron Man against a descendant known as Andros Stark in the Iron Man 2020 armor, and Doom vs. himself, kept alive via various mechanical devices! Once the danger is dealt with, the two are promptly returned to the present.

First IM Appearance: Iron Man #102 (in Dreadknight flashbacks).

(Some info and pic courtesy of the online Unofficial Marvel Handbook
to the Marvel Universe.)

BACK to Villains main page

HOME

Enter supporting content here

HOME

F-Secure Virus Descriptions : Mydoom

Back to the Top

Back to the Top

Back to the Top

Virus informationW32/MyDoom-A

Summary

Staying up to date

Description

Recovery

W32.Mydoom.A@mm

Virus information
W32/MyDoom-A