Symantec: W32.Mydoom.BU@mm ("Mytob" variant)

[Randy_Bell]

URL: http://securityresponse.symantec.com...oom.bu@mm.html

This one caused an emergency liveupdate early yesterday morning of May 27:

W32.Mydoom.BU@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer and that has back door capabilities.

Also Known As: W32/Mytob.be@MM [McAfee], W32/Mytob-L [Sophos], WORM_MYTOB.FC [Trend Micro]
Infection Length: 49,278 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Quote:

Originally Posted by Symantec Technical Details

When W32.Mydoom.BU@mm is executed, it performs the following actions:

1. Copies itself as:

%System%\nec.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds the value:

"WINDOWS SYSTEM" = "nec.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices

so that the risk runs every time Windows starts.

3. Modifies the value:

"Start" = "4"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

to prevent other programs from running when Windows starts.

4. Connects to IRC channel #skyline2 on the server irc.blackcarder.net.

5. Listens for commands that allow the remote attacker to perform any of the following actions:

* Download and execute files
* Perform other IRC commands determined by the attacker
* Reboot the compromised computer

Further Tech Details: http://securityresponse.symantec.com...chnicaldetails