MyDoom Worm Advisory

• URL: http://www.secureworks.com/research/threats/mydoomadvisory
• Date: January 27, 2004
• Author: Joe Stewart

***Highly Publicized Worm Propagating***

The past twenty four hours have seen the widespread propagation of a new Internet worm that spreads via e-mail and KaZaA. This worm, now commonly referred to as MyDoom, has been name-tagged by various reputable sources under different aliases. This worm has potential for a DDoS and is speculated to open a backdoor proxy. Despite its status as one of the largest spreading mass-mailers ever, this worm is a very low threat to any network that has implemented "best-practices" antivirus procedures (gateway+desktop scanning with current signatures, plus blocking of executable attachment types at the gateway).

Details:

As of the late afternoon January 26, 2004, various sources began noticing high loads on mail servers. This was the result of the aggressive propagation of the latest high outbreak worm. Various sources have tagged this worm with the following names: WORM_MIMAIL.R, MIMAIL.R, Mydoom, Novarg, Shmig, W32.Novarg.A@mm, and W32/Mydoom@MM and will be referred to throughout this advisory as MyDoom. MyDoom harvests email addresses from infected hard drives and mails copies of itself to addresses that it finds. It spoofs the "From" address to confuse victims as to the source of the virus. MyDoom spreads as an e-mail attachment that is either in an executable or zip archive format.

The MyDoom worm spreads via an e-mail attachment and has been reported to have the following characteristics:

1. Possible subject lines: error, hello, hi, mail delivery system, mail transaction failed, server report, status, test. The subject line could also be a random collection of characters.
2. Possible reported e-mail body messages include:
1. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
2. The message contains Unicode characters and has been sent as a binary attachment.
3. Mail transaction failed. Partial message is available.
3. E-mail attachment with one the following names: body, data, doc, document, file, message, readme, test. The attachment name could also be a random string of characters. The extension has been reported to be one of the following: bat, cmd, exe, pif, scr, zip.
4. The attachments have had a reported range between 22640 and 22798 bytes inclusive but are usually 22,528 bytes. The size of the .ZIP can depend upon the length of the randomly selected filename that the sending instance of MyDoom chooses for the copy inside the .ZIP. That filename is included twice in the .ZIP -- once in the header at the beginning of the stream of packed data for the file and once in the "central directory" at the end of the .ZIP.

MyDoom has the capability of attaching itself either as an archive (.zip) or an executable (.exe). When executed, it places a copy of itself in the Windows System folder with the name "taskmon.exe". It will also install a proxy on the system with the name "shimgapi.dll". This proxy allows connections on TCP port 3127. Some reports also indicate the opening of ports 3127 thru 3198. This could potentially allow an attacker to connect to the computer and use it as a proxy to gain access to network resources. In addition, the backdoor has the ability to download and execute arbitrary files. The specific capabilities are currently still under investigation. After infection, MyDoom enables itself to start up when an infected machine boots. The registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Taskmon" has a value pointing to the location of "taskmon.exe" which is typically:

c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
or
c:\WINDOWS\SYSTEM\taskmon.exe.

The worm then starts 63 threads; all requesting the index page of www.sco.com every 300 milliseconds. The worm will perform a DoS starting on February 1, 2004 and has a trigger date to stop spreading on February 12, 2004. It has been speculated that this functionality may be a tactic to hide the backdoor implementation on TCP port 3127.

Aggressive propagation of mass-email worms have been known to cause localized email outages due to the load placed on email servers. MyDoom has been spreading very aggressively and is a serious threat to networks where "best-practices" antivirus procedures have not been implemented. It is also believed that this worm contains a proxy that may allow the infected computer to relay "spam" email.

Additional Notes:

A variant, MyDoom.B, has been reported as of January 28th, 2004 with minor modifications including:

1. A DDoS attack against www.microsoft.com as well as www.sco.com.
2. Changes to the system "hosts" file entry blocking access to Windows Update and antivirus update and information sites.
3. Ability to update Mydoom.a-infected hosts by scanning for and uploading the "b" variant to port 3127.

Once again, we stress that following best-practices antivirus procedures should lead to zero infections of this worm on your network, and if you have rolled out such policies in advance, you should have no cause for alarm with this new variant.

Solution:

1. Various AV engines are being updated to detect and properly handle this worm. Administrators should update all gateway and desktop antivirus signatures on an hourly basis.
2. Block all executable files (e.g. exe, scr, pif, bat, cmd) at the e-mail gateway. Consider blocking zip files as well, as they are an increasingly popular way for virus writers to send files, as they are normally permitted by most e-mail gateways. Furthermore, it is recommended that network administrators block inbound and outbound connections to TCP port 3127 to block the backdoor functionality of MyDoom.
3. Ensure users of the network are aware of this threat and remind users to be wary of all unsolicited e-mail attachments.