Trend Micro Medium Risk Virus Alert - WORM_MYDOOM.BB

Dear Trend Micro customer,

As of February 16, 2005, 05:31 PM (GMT - 08:00, Pacific Standard Time) TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_MYDOOM.BB.

Trendlabs received numerous infection reports indicating that this malware is spreading in Singapore and U.S. This worm was previously detected as WORM_MYDOOM.M.

It has very similar characteristics as with WORM_MYDOOM.M. However, this new MYDOOM worm comes compressed with MEW compression tool, whereas WORM_MYDOOM.M is compressed using UPX.

Like earlier MYDOOM variants, this worm spreads via email through SMTP (Simple Mail Transfer Protocol), gathering target recipients from the Windows Address Book, the Temporary Internet Files folder, and certain fixed drives. It uses social engineering techniques by sending out email messages with a spoofed sender's name and poses as a failure delivery notification. The email message it sends has varying subjects, message bodies, and attachment file names.

Apart from simply spreading via email, this worm also carries backdoor functionalities that leaves the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens TCP port 1034 and waits for outside connections. This routine virtually hands over control of the affected machine to a remote attacker.

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 149
Official Pattern Release 2.416.00
Damage Cleanup Template 520


For more information on WORM_MYDOOM.BB, you can visit our Web site at:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB

 

Here are some links to the various Vendors for this worm. This worm caused a Norton LiveUpdate tonite, a new McAfee Weekly DATfile release, and a new TrendMicro Pattern File release:

Symantec: W32.Mydoom.AX@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html

McAfee: W32/Mydoom.bb@MM
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=131856

TrendMicro: WORM_MYDOOM.BB
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB

Panda: Mydoom.AO
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=59552

Sophos: W32/MyDoom-O
http://www.sophos.com/virusinfo/analyses/w32mydoomo.html

Computer Associates: Win32.Mydoom.AU
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41813

F-Secure: MyDoom.BB
http://www.f-secure.com/v-descs/mydoom_bb.shtml

Norman: W32/MyDoom.AQ@mm
http://www.norman.com/Virus/Virus_descriptions/20316/en

F-Prot: W32/Mydoom.AM@mm
http://www.f-prot.com/virusinfo/descriptions/mydoom_am.html

VSAntivirus: W32/Mydoom.AW
http://www.vsantivirus.com/mydoom-aw.htm
English Transl:
http://babelfish.altavista.com/babe...rurl=http://www.vsantivirus.com/mydoom-aw.htm

BitDefender: Win32.Mydoom.AQ@mm
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=326

Kaspersky: Email-Worm.Win32.Mydoom.m
http://www.viruslist.com/en/viruses/encyclopedia?virusid=57410

NOTE: this worm is a repacked version of the 'M' variant, hence Kaspersky {which has very good unpackers} should be detecting it by this name without need of new signature. BitDefender, which also has good unpackers, states such in their writeup.

 

Panda: ORANGE ALERT: Mydoom.AO

- ORANGE ALERT: Mydoom.AO. Internet search engines,
once again in the sights of a computer virus -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

Madrid, February 17, 2005 - PandaLabs has detected the appearance of a new worm that uses Internet search engines to spread rapidly: Mydoom.AO. This worm uses Google, Altavista, Yahoo and Lycos to search for email addresses to which to send itself. In this way, a single infected computer can distribute thousands of copies of the worm in just a few minutes. This means that probability of a computer becoming infected by the Mydoom.AO worm is high.

Panda Software clients that already have TruPrevent(TM) Technologies to protect against unknown viruses and intruders, have had preventive protection against Mydoom.AO from the moment it first appeared as they are able to detect and block this threat without needing to have identified it previously (more information about the new TruPrevent(TM) Technologies at http://www.pandasoftware.com/truprevent).

Mydoom.AO uses so-called 'social engineering' to try to trick users, as the email messages it spreads in appear to be mail delivery error messages, these include: Message could not be delivered, Mail System Error - Returned Mail, or Delivery reports about your e-mail.

The message text itself is also variable. One example is:

Your message (was not|could not be) delivered because the destination (computer|server) was (not|un)reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura-tion parameters (the text in brackets is variable).

The name of the attached file that actually contains the worm is chosen at random and has one of the following extensions: ZIP, COM, SCR, EXE, PIF, BAT or CMD.

If a user becomes infected by the worm, it creates a copy of itself under the name JAVA.EXE and searches for email addresses in the Windows address book, Internet temporary files, and in files on the computer with certain extensions. Once it has done this, it selects domain names from the addresses it has collected and uses them as search words in Google, Altavista, Yahoo and Lycos. Finally, Mydoom.AO sends itself out to all addresses it finds.

The worm also creates several Windows registry entries to ensure it is run on every system start up.

According to Luis Corrons, director of PandaLabs: "Virus creators are finding Internet search engines a powerful tool for rapidly spreading malicious code. Mydoom.N was the first to use this strategy, and this new worm is following in its footsteps. This tactic effectively multiplies the propagation capacity of a malicious code, and it is therefore likely that we will see more of the same".

Given the likelihood of incidents involving Mydoom.AO, Panda Software advises users to act with caution and update their antivirus software. Panda Software clients already have the corresponding updates to detect and disinfect this new malicious code.

Panda Software's clients can already access the updates for installing the new TruPreventTM Technologies along with their antivirus protection, providing a preventive layer of protection against new malicious code. For users with a different antivirus program installed, Panda TruPreventTM Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPreventTM Technologies at http://www.pandasoftware.com/truprevent.

In addition, users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

More information about Mydoom.AO is available from Panda Software's Virus Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/

 

Panda: ORANGE ALERT: Mydoom.AO - Free Removal Tool

- ORANGE ALERT: Mydoom.AO -

- Panda Software offers its free PQRemove tool
to detect and eliminate Mydoom.AO from infected computers -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

Madrid, February 17, 2005 - To help all users whose computers have been or could be affected by the Mydoom.AO worm, Panda Software has made its free PQRemove utility available to detect and eliminate this malicious code. This tool can be downloaded from: http://www.pandasoftware.com/download/utilities

Panda Software also recommends that users treat emails received with caution and install a reliable and updated anti-malware solution. Panda Software clients that already have TruPrevent (TM) Technologies to protect against unknown viruses and intruders, have had preventive protection against Mydoom.AO from the moment it first appeared as they are able to detect and block this threat without needing to have identified it previously (more information about the new TruPrevent(TM) Technologies at http://www.pandasoftware.com/truprevent).

Mydoom.AO has a far greater propagation capacity than most computer viruses, as it uses the main Internet search engines to find email addresses to which to send itself. Once it has infected a computer, it searches for email addresses in the Windows address book, Internet temporary files, and in files on the computer with certain extensions. Then it selects domain names from the addresses it has collected and uses them to search in Google, Altavista, Yahoo and Lycos for other addresses to which to send itself. For example, if in the computer it finds the address 'abc@xyz.com', the worm searches for the term 'xyz.com'. so that it can find other addresses on the same domain.

Mydoom.AO also avoids the tactics that users employ to prevent their Internet addresses from being used by spammers to send unwanted mail, for example by replacing @ with (at).

Luis Corrons, director of PandaLabs, explains: "This worm is perfectly designed to spread itself massively and rapidly. The creator has designed it to magnify the infection capacity using Internet search engines. In this way, even if the malicious code didn't cause a high number of infections, it can ensure that there are many infected messages in circulation. This increases the chance of a computer, especially one without protection, becoming infected".

Given the likelihood of incidents involving Mydoom.AO, Panda Software advises users to act with caution and update their antivirus software. Panda Software clients already have the corresponding updates to detect and disinfect this new malicious code.

Panda Software's clients can already access the updates for installing the new TruPrevent(TM) Technologies along with their antivirus protection, providing a preventive layer of protection against new malicious code. For users with a different antivirus program installed, Panda TruPrevent(TM) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent(TM) Technologies at http://www.pandasoftware.com/truprevent.

In addition, users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

More information about Mydoom.AO is available from Panda Software's Virus Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/

 

Trend Newsletter: WORM_MYDOOM.BB

On February 16, Trend Micro declared a Yellow Alert to control the spread of WORM_MYDOOM.BB. This worm is spreading in-the-wild, with higher concentrations in the U.S. and Singapore. This worm spreads via email through Simple Mail Transfer Protocol (SMTP), gathering recipient email addresses from the Windows Address Book, the Temporary Internet Files folder, and certain fixed drives. Notably, it skips email addresses that contain certain strings. When it finds an email address, it gets the domain name of that email address and queries certain search engines to search for email addresses in the same domain, in order to gather more addresses to spam. The worm sends an email with a spoofed sender's name and poses as a failure delivery notification. Apart from simply spreading via email, this worm also has backdoor functionalities that leave the infected machine vulnerable to remote access. This worm infects computers running Windows NT, 2000, and XP.

Upon execution, this mass-mailing worm program drops a copy of itself as JAVA.EXE in the Windows folder. It creates autorun registry entries that enable it to automatically execute at every system startup. It then closes all windows related to Internet Explorer, Microsoft Outlook, and Outlook Express.

This worm propagates via SMTP. It harvests target email addresses from the Windows Address Book (WAB) and gathers addresses from the Temporary Internet Files folder and from files with the following extensions found in fixed drives:

* hlp
* tx*
* asp
* ht*
* sht*
* adb
* dbx
* wab

When it finds an email address, it gets the domain name of that email address and queries the following search engines to search for email addresses in the domain:

* http://search.lycos.com
* http://www.altavista.com
* http://search.yahoo.com
* http://www.google.com

It spoofs the sender's name (FROM field) of the email it sends, both in the email header and the envelope. Please refer to the Technical Details of the virus description for information on the various subject lines, message bodies, and attachments used by this worm.

This worm skips email addresses with domain names that contain any of these strings:

* arin.
* avp
* bar.
* domain
* example
* foo.com
* gmail
* gnu.
* google
* hotmail
* microsoft
* msdn.
* msn.
* panda
* rarsoft
* ripe.
* sarc.
* seclist
* secur
* sf.net
* sophos
* sourceforge
* spersk
* syma
* trend
* update
* uslis
* winrar
* winzip
* yahoo

It also skips email addresses with the following account names:

* anyone
* ca
* feste
* foo
* gold-certs
* help
* info
* me
* no
* nobody
* noone
* not
* nothing
* page
* rating
* root
* site
* soft
* someone
* the.bat
* you
* your

It skips account names that contain any of these strings:

* admin
* support
* ntivi
* submit
* listserv
* bugs
* secur
* privacycertific
* accoun
* sample
* master
* abuse
* spam
* mailer-d

This worm drops a backdoor component named SERVICES.EXE in the Windows folder, which opens TCP port 1034, and listens for connections from a remote malicious user. It also downloads and executes a backdoor program from a specific Web site.

If you would like to scan your computer for WORM_MYDOOM.BB or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_MYDOOM.BB is detected and cleaned by Trend Micro pattern file #2.416.00 and above.