W32.Doomhunter

Discussion in 'malware problems & news' started by Marianna, Feb 14, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Discovered on: February 12, 2004
    Last Updated on: February 14, 2004 03:58:39 PM

    W32.Doomhunter is a worm that attempts to spread to the machines that are infected with W32.Mydoom@mm variants.



    Type: Worm
    Infection Length: 5,120



    Systems Affected: Windows 2000, Windows XP

    When W32.Doomhunter runs, it does the following:


    Copies itself as %System%\worm.exe.


    --------------------------------------------------------------------------------
    Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    --------------------------------------------------------------------------------


    Adds the value:

    "Delete Me"="worm.exe"

    to the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows®.


    Deletes the default value in the registry key:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32


    --------------------------------------------------------------------------------
    Note: W32.Mydoom.A@mm and W32.Mydoom.B@mm modify this key
    --------------------------------------------------------------------------------


    Displays various messages when running, such as the following examples:

    http://securityresponse.symantec.com/avcenter/graphics/w32.doomhunter.1.gif

    http://securityresponse.symantec.com/avcenter/graphics/w32.doomhunter.2.gif

    Note: All the messages have "Mydoom removal worm (DDOS the RIAA!!)" in the title bar.
    --------------------------------------------------------------------------------


    Terminates the following processes, which the worms W32.Mydoom.A@mm, W32.Mydoom.B@mm, W32.Blaster.Worm, and W32.Blaster.C.Worm, may create:

    SHIMGAPI.DLL
    CTFMON.DLL
    REGEDIT.EXE
    TEEKIDS.EXE
    MSBLAST.EXE
    EXPLORER.EXE
    TASKMON.EXE
    INTRENAT.EXE


    --------------------------------------------------------------------------------
    Note: All the Windows operating systems have a legitimate system process titled explorer.exe.
    --------------------------------------------------------------------------------


    Deletes the following files from the System folder, which are associated with the worms W32.Mydoom.A@mm, W32.Mydoom.B@mm, W32.Blaster.Worm, and W32.Blaster.C.Worm:

    SHIMGAPI.DLL
    CTFMON.DLL
    REGEDIT.EXE
    TEEKIDS.EXE
    MSBLAST.EXE
    EXPLORER.EXE
    TASKMON.EXE
    INTRENAT.EXE


    --------------------------------------------------------------------------------
    Notes:
    The legitimate system file explorer.exe exists in the %Windir% folder on all the Windows systems.
    %Windir% is a variable for the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    --------------------------------------------------------------------------------


    Listens on TCP port 3127.

    --------------------------------------------------------------------------------
    Note: Port 3127 is the port that the backdoor component of W32.Mydoom.A@mm opened.
    --------------------------------------------------------------------------------


    If the connection is established, the worm first sends five bytes to the remote computer. Then, it sends a copy of itself to the remote computer. The backdoor component of W32.Mydoom.A@mm will accept the file and then execute it.

    [http://securityresponse.symantec.com/avcenter/venc/data/w32.doomhunter.html/url]
     
Thread Status:
Not open for further replies.