MyCERT Advisories
MyCERT Advisories, Alerts and Summaries for the year 2004
Bookmark and Share

MA-077.072004: MyCERT Special Alert - W32. MyDoom.M

Original Issue Date: 27th July 2004

Brief Description

MyCERT received information from various Anti-Virus sites this morning regarding the propagation of a new variant of W32.MyDoom worm, the W32.MyDoom.M, discovered on 26th July 2004 (US Pacific Time). It is reported that this variant of mass mailing worm is currently spreading in the wild, with several infection reports received from Germany and the United States.

This worm runs and affects on Windows 95, 98, ME, NT, 2000, and XP.

As of 8:31 AM, July 26, 2004 (GMT -7:00), most Anti-virus vendors had raised a YELLOW ALERT to the propagation. However, MyCERT has not received any reports of infections from local users but we will keep monitoring closely on the worm's activities.


Propagation

As the previous variants, this worm spreads via email through SMTP (Simple Mail Transfer Protocol), gathering target recipients from the Windows Address Book, the Temporary Internet Files folder, and certain fixed drives.

Notably, it skips email addresses that contain certain strings as in the below URL:

Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M&Vsect=T#strings

When it finds an email address, it gets the domain name of that email address and queries the following search engines to search for email addresses in the domain:

  • http://search.lycos.com
  • http://www.altavista.com
  • http://search.yahoo.com
  • http://www.google.com

Using social engineering techniques, this worm sends out an email with a spoofed sender's name and poses as a failure delivery notification.

The infected email has the following characteristics:

  • From:
    The From address will be spoofed.

  • Subject: (Any of the following)
    say helo to my litl friend
    click me baby, one more time
    hello
    error
    status
    test
    report
    delivery failed
    Message could not be delivered
    Mail System Error - Returned Mail
    Delivery reports about your e-mail
    Returned mail: see transcript for details
    Returned mail: Data format error

  • Attachment: The worm may generate an attachment file name from the domain name of the email addresses that are gathered on the system. The attachment name may also be one of the following:

    readme
    instruction
    transcript
    mail
    letter
    file
    text
    attachment
    document
    message

  • Attachment's extensions:

    cmd
    bat
    com
    exe
    pif
    scr
    zip

  • The attachment may have a second extension, which will be one of the following:

    doc
    txt
    htm
    html

Screenshots of examples of infected emails are as below:

This worm also carries backdoor functionalities detected as Backdoor.Zincite.A, on port 1034/tcp that leaves the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens TCP port 1034 and waits for outside connections.

This routine virtually hands over control of the affected machine to a remote attacker.


Detection

  1. Any updated version of Anti-virus is able to detect the presence of this worm in an infected machine.

    List of Anti-virus vendors is available at:
    http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html

  2. Network/System Administrators may be able to detect infected machines within their network by looking at activities that are going on at port TCP/1034.


Recovery

Machines that had been infected with this worm can be cleaned using a Automatic Removal. Automatic Removal, the easiest way to clean up worms from infected machines. Cleaning steps are as below:

  1. Disconnect the infected machine from the network.

  2. Disable system restore for windows XP/ME.

  3. Download an Automatic Removal Tool to clean up the machine.

    Trend Micro
    http://www.trendmicro.com/download/dcs.asp

    Symantec
    http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom@mm.removal.tool.html

    NOTE: The automatic tools can be downloaded from a clean machine into a media and run the tool on infected machine to clean up.

  4. Enable System Restore.

  5. Re-scan the affected machine with an updated version of Anti-Virus to make sure the machine has been cleaned.

  6. Re-connect the machine to the network.


Preventive

  1. Applying Anti-virus filters at organizations' email gateway to block the worm infected attachments.

  2. System Adminstrators may consider to block attachments with the following extensions, .ZIP, .COM, .EXE, .PIF, .SCR, .BAT and attachments with double extensions.

  3. System Administrators may consider to block incoming traffic to port TCP/1034 in order to block any access from attackers to the infected machine within the network via port TCP/1034.

  4. End users should always practise safe email practices. Guides on safe email practices is available at:

    http://www.mycert.org.my/en/resources/email/email_practices/main/detail/512/index.html


References:

  1. Symantec
    http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html

  2. Trend Micro
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M

  3. MyCERT
    http://www.mycert.org.my

  4. McAfee
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M

MyCERT can be reached for assistance at:

Email:
Tel: 03-89961901
Fax: 03-89960827
SMS: 019-2813801