Home | FAQ | Contact | Privacy Policy | Unsubscribe from Alerts
US-CERT
Search US-CERT

> Advanced Search
National Cyber Alert System
Technical Cyber Security Alert TA04-028Aarchive

W32/MyDoom.B Virus

Original issue date: January 28, 2004
Last revised: February 2, 2004

Systems Affected

  • Systems running Microsoft Windows

Overview

US-CERT has received reports of a mass-mailing virus known as W32/MyDoom.B.


I. Description

A variant of the W32/MyDoom (W32/Novarg.A) virus has been identified that infects Microsoft Windows systems. This variant is called W32/MyDoom.B. Like its predecessor, W32/MyDoom.B propagates via email and P2P networks and requires that a user intentionally run an executable file in order to infect a system.

W32/MyDoom.B may be designed to cease functioning on March 1, 2004.

Identifying Characteristics

When W32/MyDoom.B is executed, it may show garbled text (random bytes) in notepad.exe or it may display a bogus memory error dialog.

Email messages

The following text may appear in an email message carying the virus.

From: field

    In at least some cases, W32/MyDoom.B spoofs the From: address using {random_string}@{aol, msn, yahoo, hotmail}.com.

Subject: field

    The subject of the message may contain {Delivery Error, hello, Error, Mail Delivery System, Mail Transaction Failed, Returned mail, Server Report, Status, Unable to deliver the message}.

    Not all email messages with these subjects contain the virus; some may be legitimate messages.

Body
    The message body may include one of the following:

    [random characters]

    test

    The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

    sendmail daemon reported: Error #804 occured during SMTP session. Partial message has been received.

    The message contains Unicode characters and has been sent as a binary attachment.

    The message contains MIME-encoded graphics and has been sent as a binary attachment.

    Mail transaction failed. Partial message is available.
Attachment
    The attachment may be named {body, doc, text, document, data, file, readme, message}.{exe, bat, scr, cmd, pif}.
P2P file sharing networks

On P2P networks, W32/MyDoom.B may appear as a file named {attackXP-1.26, BlackIce_Firewall_Enterpriseactivation_crack, MS04-01_hotfix, NessusScan_pro, icq2004-final, winamp5, xsharez_scanner, zapSetup_40_148}.{exe, scr, pif, bat}.


II. Impact

File System and Registry Modifications

As part of its infection routine, W32/MyDoom.B attempts create files and add entries to the Windows registry. Depending on the privileges of the user executing the virus, these changes may not be permitted.

  • The virus creates two files (explorer.exe and ctfmon.dll) in the Windows system directory (%windir%\system32 on Windows NT/2000/XP, %windir%\system on Windows 95/98/ME). explorer.exe is the main virus executable, and ctfmon.dll provides backdoor functionality. explorer.exe uses a custom icon that resembles a text file.

    Note that the legitimate Windows Explorer shell binary, also named explorer.exe, exists in the Windows directory (%windir%) and that ctfmon.exe is a legitimate Microsoft Office XP binary that is installed in the Windows system directory.

    The virus overwrites the hosts file (%windir%\system32\drivers\etc\hosts on Windows NT/2000/XP, %windir%\hosts on Windows 95/98/ME) to prevent DNS resolution for a number of sites, including several antivirus vendors.

      127.0.0.1       localhost localhost.localdomain local lo
      0.0.0.0         0.0.0.0
      0.0.0.0         engine.awaps.net awaps.net www.awaps.net ad.doubleclick.net
      0.0.0.0         spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
      0.0.0.0         media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net
      0.0.0.0         ads.fastclick.net banner.fastclick.net banners.fastclick.net
      0.0.0.0         www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
      0.0.0.0         ftp.f-secure.com securityresponse.symantec.com
      0.0.0.0         www.symantec.com symantec.com service1.symantec.com
      0.0.0.0         liveupdate.symantec.com update.symantec.com updates.symantec.com
      0.0.0.0         support.microsoft.com downloads.microsoft.com
      0.0.0.0         download.microsoft.com windowsupdate.microsoft.com
      0.0.0.0         office.microsoft.com msdn.microsoft.com go.microsoft.com
      0.0.0.0         nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com
      0.0.0.0         networkassociates.com avp.ru www.avp.ru www.kaspersky.ru
      0.0.0.0         www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
      0.0.0.0         avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
      0.0.0.0         download.mcafee.com mast.mcafee.com www.trendmicro.com
      0.0.0.0         www3.ca.com ca.com www.ca.com www.my-etrust.com
      0.0.0.0         my-etrust.com ar.atwola.com phx.corporate-ir.net
      0.0.0.0 www.microsoft.com

    On February 3, 2004, W32/MyDoom.B removes the entry for www.microsoft.com.

    Information about these files for at least one sample of W32/MyDoom.B is as follows:

    File Name Size MD5 Sum
    explorer.exe 29,184 bytes cc6e6aa338385fbb0a005ba3d3e060f3
    ctfmon.dll 6,144 bytes 1a6b3aef25226861245adc1a93ce161c
    hosts (before Feb 3 2004) 1,464 bytes b954a35fc0cf35a38edf1ac4cef84756
    hosts (on and after Feb 3 2004) 1,435 bytes 349401796319849b7748dabe0120104f

  • The virus copies itself to a shared P2P directory (typically \Program Files\KaZaA\My Shared Folder). This copy of the virus may be named {attackXP-1.26, BlackIce_Firewall_Enterpriseactivation_crack, MS04-01_hotfix, NessusScan_pro, icq2004-final, winamp5, xsharez_scanner, zapSetup_40_148}.{exe, scr, pif, bat}.

  • The virus modifies the registry to execute the virus when a user logs on and to reference the backdoor component.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Explorer"="C:\WINDOWS\system32\explorer.exe"

    [HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
    @="%SystemRoot%\System32\ctfmon.dll"     (REG_EXPAND_SZ)
    This value is normally set to %SystemRoot%\System32\webcheck.dll (REG_EXPAND_SZ)

Network Activity

In addition to file system and registry changes, W32/MyDoom.B generates network traffic and installs a backdoor.

  • In its mass-mailing capacity, W32/MyDoom.B harvests email addresses from an infected system and attempts to deliver itself using a self-contained SMTP engine. A notable secondary effect is that antivirus scanners on email servers frequently generate automatic responses to infected messages, and in some cases these responses also contain the virus. These messages may in turn generate non-delivery reports and bounce messages since the virus frequently spoofs the From: address.

    The virus ignores email addresses containing strings in {abuse, accoun, certific, listserv, ntivi, icrosoft, admin, page, the.bat, gold-certs, feste, submit, help, service, privacy, somebody, soft, contact, site, rating, bugs, your, someone, anyone, nothing, nobody, noone, webmaster, postmaster, support, samples, info, root, ruslis, nodomai, mydomai, example, inpris, borlan, nai., sopho, foo., .mil, gov., .gov, panda, icrosof, syma, kasper, mozilla, utgers.ed, tanford.e, acketst, secur, isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, iana, usenet, fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix, berkeley, spam}.

  • The backdoor component (ctfmon.dll) opens the first available TCP port in {1080, 3128, 80, 8080, 10080}. The virus may accept commands, execute additional code, or act as a TCP proxy (think SPAM).

  • The virus scans for systems listening on 3127/TCP (possibly 3127-3198). While the purpose of this scanning is unclear, it may be an attempt to contact systems infected with the initial version of MyDoom (W32/Novarg.A).

  • The virus appears be designed to launch distributed denial-of-service (DDoS) attacks against www.sco.com on February 1, 2004 and against www.microsoft.com on February 3, 2004. W32/MyDoom.B removes the www.microsoft.com entry from the hosts file on February 3, 2004.
Network traffic generated by W32/MyDoom.B (scanning, email, DDoS) may cause collateral denial-of-service conditions in networks where a significant number of systems are infected, large volumes of virus-related email are handled, or DDoS traffic is aggregated.

III. Solutions

For System and Network Administrators

Filter network traffic

W32/MyDoom.B opens a listening TCP port on one of {1080, 3128, 80, 8080, 10080}. Limited testing indicates that the virus scans for port 3127/TCP. Sites should consider blocking both inbound and outbound traffic to these ports, depending on network requirements, at the host and network level.

If access cannot be blocked for all external hosts, limit access to only those hosts that require it for normal operation. As a general best security practice, filter all network traffic that is not required for normal operation.

Infected systems may be detected by outbound TCP flows to port 3127 (possibly 3127-3198) or open TCP ports on {1080, 3128, 80, 8080, 10080}. Other symptoms of infection could be increased CPU load or increased outbound SMTP traffic.

Filter email on servers

Scan email for viruses or use the functionality of various mail transfer agents (MTAs) to block email with the characteristics of W32/MyDoom.B. Consider the impacts of false positives, increased complexity, and increased server loads before making changes to production systems.

Also, consider disabling automatic response messages to the apparent senders of infected messages. At minimum, make sure that responses DO NOT return the virus attachment.

For Users

Do not run programs of unknown origin

Never download, install, or run a program unless you know it to be authored by a person or company that you trust. Email users should be wary of unexpected attachments, and users of P2P file-sharing services should be wary of executable files obtained from other users.

Run and maintain an antivirus product

While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first line of defense against malicious code attacks. Users may wish to read IN-2003-01 for more information on antivirus software and security issues.

In order to detect recently released viruses such as W32/MyDoom.B, it is crucial to maintain updated virus signatures. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when available.

Most antivirus software vendors release updated virus signatures, removal tools, and information to help detect and recover from malicious code, including W32/MyDoom.B. A partial list of antivirus vendors is available on the CERT/CC web site.

Recovery

Identify and terminate the virus process (explorer.exe) using the Windows Task Manager, taskkill.exe (Windows XP), tlist.exe and kill.exe (Windows NT/2000 Resource Kit), or a third party utility. Remove the files and registry entries created by the virus. Restore or recreate the hosts file.

Alternatively, use a specific W32/MyDoom.B removal tool from an antivirus vendor.


Appendix A. References



Reporting

US-CERT is tracking activity related to this worm as CERT#25304. Relevant artifacts or activity reports can be sent to <cert@cert.org> with the appropriate CERT#25304 in the subject field.

Credits

This document was developed based on material contributed by iDEFENSE.

Sources

iDEFENSE Intelligence Operations - http://www.idefense.com/
F-Secure Corporation - http://www.f-secure.com/v-descs/mydoom_b.shtml
Bit Defender - http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v;_id=186
Sensible Security Solutions Inc. - http://www.sss.ca/


Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

January 28, 2004: Initial release
January 28, 2004: Updated registry reference, fixed typos, added hosts file information
January 30, 2004: Updated document structure and language
February 2, 2004: Updated hosts file and www.microsoft.com information, changed heading formats

Last updated May 26, 2004