Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
|
Minimum DAT
4390 (2004-09-08) Updated DAT4748 (2006-04-25) |
Minimum Engine
5.1.00 File Length32,768 bytes (UPXed) |
Description Added
2005-01-25 Description Modified2005-02-01 |
Malware Proliferation
Characteristics
A new variant of W32/Mydoom has been discovered. This variant is proactively detected as W32/Mydoom.gen@MM by McAfee products running the 4390 DATs or greater (release date: Sep 8th 2004).
This variant bears the following characteristics:
- mails itself to target email addresses harvested from the victim machine
- constructs outgoing messages using its own SMTP engine
- spoofs the From: address on outgoing messages
- attempts to propagate through popular P2P networks by copying itself with enticing filenames
- terminates various processes (AV and security related)
- modifies the local HOSTS file to disable the updating of security products
Symptoms
- Existence of the files and Registry keys detailed here.
- Copies of the worm with the enticing filenames used for P2P propagation.
- Local HOSTS file overwritten as detailed here.
- When run, a garbage text file is opened and displayed in Notepad
- the worm will remove Registry key data for other worms from the Registry
Method of Infection
Installation
The worm installs itself into the Windows system directory as LSASRV.EXE, for example:
- C:\WINNT\SYSTEM32\LSASRV.EXE
The following Registry key is added to hook system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Run "lsass" = %SysDir%\LSASRV.EXE
Additionally, the following value:
- "Shell" = "explorer.exe %SysDir%\LSASRV.EXE"
is added to the following key:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon
Mail Propagation
The mail propagation of this variant is very similar to previous Mydoom variants:
- email addresses are harvested from the victim machine
- From: address is spoofed using forenames and domains carried in the worm's body
- email addresses containing certain strings are excluded from the mailing
- the worm attaches itself to outgoing mails with one of the following filenames:
- body
- message
- docs
- file
- rules
- doc
- readme
- document
- the attachment will have one of the following extensions:
- zip
- scr
- pif
- exe
- cmd
- bat
Overwriting local HOSTS file
The local hosts file is modified such that connection to the a number of domains for the updating of various anti-virus products is redirected to localhost (127.0.0.1).
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
- Insert the Windows XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
- Select the Windows installation that is compromised and provide the administrator password.
- Issue 'fixmbr' command to restore the Master Boot Record
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
- Insert the Windows CD into the CD-ROM drive and restart the computer.
- Click on "Repair Your Computer".
- When the System Recovery Options dialog comes up, choose the Command Prompt.
- Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
Variants