Scary News about MyDoom...

Security, malware, viri--you've got to keep your eyes open
Post Reply
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis
Contact:

Post by bob » 01/29/04, 2:04 am

Latest worm has professional twist
Computer experts blame spammers

By BILL HUSTED
The Atlanta Journal-Constitution


A new computer worm called MyDoom is spreading in the United States and abroad at a frightening rate. But that's not the really scary news.

What worries computer experts the most is the fact that MyDoom is an example of a new breed of professionally created worms that are more difficult to detect and move faster. These better-built worms also are used by criminals to turn a profit.

much more....

http://www.ajc.com/business/content/bus ... 8worm.html
WYSIWTF

Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia
Contact:

Post by Gerry » 01/29/04, 4:11 am

Wow, that's really gonna suck. I suppose on the up side it will make it easier to find something to charge the spammers with.
I answer rhetorical questions for my own enjoyment.

Melkor
Senior Member I Get Free Beer
Senior Member I Get Free Beer
Posts: 314
Joined: 12/04/01, 12:00 am
Location: Wherever i am going.
Contact:

Post by Melkor » 01/30/04, 1:39 am

And i thought all the unethical virus writers where hiding...

I was wondering when they were going to make a transmet (transmetropolitan is a comic book) style virus. The nice thing about the way the virus developement comunity is going is there is very rarely any new big ideas; allowing AV makers to catch up easily. It would be truely amazing to see a virus that was totally novel.

POPCHR
Member ***
Posts: 22
Joined: 01/08/03, 12:00 am
Location: CORNWALL

Post by POPCHR » 02/02/04, 8:19 am

This is more info on that New Worm/s which are currently in the news!!!

very frightening on how these people make new variants etc, Just thought i would enlighten people on the facts.


Win32/Mydoom.B
Win32/Mydoom.B is a variant of Win32/Mydoom.A. The size of the executable is 29 184 bytes. It is compressed by UPX .

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents the subdirectory System or System32 in the directory %windir%.

It installs itself into the system folder of Windows as explorer.exe and adds a new value in the following registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun.

It also drops the file cftmon.dll into the system folder, which activates a backdoor on the system.
On Windows NT/2000/XP it modifies the file %system%driversetchosts. This modification will make the update servers of several anti-virus companies inaccessible to the infected computer.

The detection of Win32/MyDoom.B using sample is added since version 1.613.



Win32/Mydoom.A
Aliases: Novarg, Shimgapi alebo Shimg

Win32/Mydoom.A is a worm spreading in the form of a file in the attachment of an e-mail and the Kazaa network.

Upon activation the worm performs the following actions:

The worm registers itself in the following registries:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version

It creates a mutex SwebSipcSmtxS0, which ensures that there is only a single copy of the worm running on the infected computer.
It opens the Notepad (NOTEPAD.EXE) with a random text in it.
In the MS Windows system directory creates a file named shimgapi.dll of the size 4096 bytes and using the LoadLibrary function it loads it into the main memory. This program activates a backdoor utility listening on the port number 3127 and registers itself in the following register key:

HKEY_CLASSES_ROOTCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InprocServer32

This key is used by default as a pointer to the file named Webcheck.dll, which is a COM interface for web monitoring. By modifying of this key the worm makes sure that the shimgapi.dll file is loaded into the address location of explorer.exe.
In the next step the worm checks the system time of the infected computer and if is past Feb 12th 2004 2:28:57 it quits.
Otherwise it copies itself into the MS Windows system directory as taskmon.exe and adds a new value in the following registry keys:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

or

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

The new value is the following:"TaskMon" = %SysDir%taskmon.exe
By which the worm makes sure it will be launched each time the computer boots.
If the system time is past February 1st 2004 16:09:18 it launches a Denial of Service (DoS) attack on http://www.sco.com.
If the infected computer has the peer-to-peer client Kazaa installed the worm copies itself into the Kazaa shared directory with one of the following names:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with one of the extensions .bat, .exe, .scr alebo .pif.
In the next step the worm acquires addresses for its spreading from files with the following extensions:


.txt
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab

The sender address is altered. The subject line and the text in the body of the e-mail message changes as follows:

test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

The body of the e-mail message contains one of the following texts:

test
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

The attachment has one of the following file names or a random file name:

document
readme
doc
text
file
data
test
message
body

With one of the following extensions:

pif
scr
exe
cmd
bat
zip

The worm makes it appear that the extension is one of the following:

.htm
.txt
.doc

The detection of Win32/MyDoom.A using sample is added since version 1.608.

AndrewB
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 2385
Joined: 12/09/01, 12:00 am
Location: USA
Contact:

Post by AndrewB » 02/02/04, 11:51 am

What a horrible abuse of a good Free app like UPX! I should b**ch-slap the loser who created that malware myself.
Keep Your Assets & ID Private! Can you afford not to?

AndrewB
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 2385
Joined: 12/09/01, 12:00 am
Location: USA
Contact:

Post by AndrewB » 02/03/04, 5:17 am

I just got a funny idea... Why not a tribute parody of the old song 'my girl'? Think about it...

Mydoom! Just talkin about myyydoooom! MyDoom! (etc)

It would be cool and you know it! :wink:
Keep Your Assets & ID Private! Can you afford not to?

Post Reply