My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.MyDoom.AH@mm, Win32.MyDoom.AG@mm

HIGH
MEDIUM
21508 bytes (packed with MEW), ~135 K unpacked
(Mydoom)

Symptoms

Presence of a file with a random filename in the System32 folder, pointed by the value  "Reactor5" in the HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Run

Removal instructions:

Open the registry editor, lookup the value "Reactor5" in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key; get the file name, terminate the process and simply delete the file (and the registry key). Update your Microsoft Internet Explorer software.

Analyzed By

BitDefender Research Team

Technical Description:


This version of the MyDoom worm uses the Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515) beside the mass mailing spreading routines.

This is how the buffer overflow vulnerability gets exploited:
The worm comes in e-mail messages; these e-mail messages may contain links to

"FREE ADULT VIDEO! SIGN UP NOW!"

or

"Look at my homepage with my last webcam photos!"

or

"Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be shipped
within three business days. To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
an automated message system and the reply will not be received.

Thank you for using PayPal."

or

"Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam
photos!"

When the user clicks on the links, it is redirected to a HTML page; this HTML page exploits the Internet Explore IFRAME vulnerability, so a malicious shellcode gets executed; this shellcode downloads a copy of the MyDoom virus on the vulnerable computer and executes it.

When executed, it deletes the following registry values from the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

\center
\reactor
\Rhino
\Reactor3
\Reactor4

Creates a file (with a random filename) under the Windows system folder.

adds the value "Reactor5" under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
that points to that specific file. This way the virus gets automatically executed at every system startup.

It attempts to find the window Shell_TrayWnd, and attempts to create a malicious thread inside the process that owns that window (tipically Explorer.exe).

If it cannot find the window Shell_TrayWnd, the worm gets a handle to the foreground window and attempts to inject itself in the process that owns the window.

In the remote thread, it attempts to load the needed libraries. It creates the Mutex "Load5" to avoid further executions.

[IRC Thread]

The virus has its own trivial IRC client, and attempts to connect to one of the following
IRC Servers:

"flanders.be.eu.undernet.org"
"caen.fr.eu.undernet.org"
"brussels.be.eu.undernet.org"
"los-angeles.ca.us.undernet.org"
"washington.dc.us.undernet.org"
"london.uk.eu.undernet.org"
"diemen.nl.eu.undernet.org"
"lulea.se.eu.undernet.org"
"broadway.ny.us.dal.net"

[Mail Thread]

This is a mass-mailing worm; it attempts to find valid e-mail addresses in files with the extension "wab", "pl", "adb", "tbb", "dbx", "asp", "php", "sht", "htm", "txt".

The "from" field spoofed (randomly chosen from a list inside the virus body).

The worm also contains a "X-Antivirus" field in the e-mail headers:
"scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)"
or
"Checked for viruses by Gordano's AntiVirus Software Checked by Dr.Web (http://www.drweb.net)"