Virus

W32/MyDoom.BI@mm

Analysis

  • Creates a mutex named -=RTSW.Smash 0a2a1=-.
  • Copies itself to the System folder as lsasrv.exe.
  • Drops the following clean files to the System folder:

    • version.ini
    • hserv.exe
    • Mes#wtelw

    Registry Modification

  • Adds the value
    lsass = "undefinedSYSTEMundefined\lsasrv.exe", where undefinedSYSTEMundefined refers to the System folder
    to the registry subkeys
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • Adds the following registry subkey:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellSmash

  • Adds the value
    Shell = "explorer.exe undefinedSYSTEMundefined\lsasrv.exe", where undefinedSYSTEMundefined refers to the System folder
    to the registry subkeys
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\


    Email Propagation

  • Sends emails to the addresses it finds, except email addresses that contain certain strings, such as:
    • .gov
    • .mil
    • account
    • acketst
    • admin
    • anyone
    • arc
    • arin.
    • avp
    • berkley
    • borlan
    • bsd
    • bugs
    • ca
    • certific
    • contact
    • example
    • feste

  • The email has the following format:

     From: any of various names, such as:

    • Abdulrazak
    • Ackerman
    • Adams
    • Addison
    • Adelstein
    • Adibe
    • Adorno
    • Ahlers
    • Alavi
    • Alcorn
    • Aleks
    • Allison
    • Alongi
    • Altavilla
    • Altenberger
    • Altenhofen
    • Amaral
    • Amatangelo

     Subject: can be empty or any of the following:

    • Attention!!!
    • Do not reply to this email
    • Error
    • Good day
    • hello
    • Mail Delivery System
    • Mail Transaction Failed
    • Server Report
    • Status

     Message body: any of various statements, such as:

    • The message contains Unicode characters and has been sent as a binary attachment.
    • Mail transaction failed. Partial message is available.
    • Bad Gateway: The message has been attached.

     Attachment name: [Filename].[Extension]
      [Filename] can be any of the following:

    • body
    • message
    • docs
    • data
    • file
    • rules
    • doc
    • readme
    • document
     [Extension] can be any of the following:
    • bat
    • cmd
    • exe
    • pif
    • scr
    • zip


    Peer-to-peer Propagation

  • Attempts to copy itself to the share folder of the following peer-to-peer applications:
    • Kazaa
    • Morpheus
    • iMesh
    • eDonkey
    • LimeWire

  • The filename can be any of the following:
    • porno
    • NeroBROM6.3.1.27
    • avpprokey
    • Ad-awareref01R349
    • winxp_patch
    • adultpasswds
    • dcom_patches
    • K-LiteCodecPack2.34a
    • activation_crack
    • icq2004-final
    • winamp5


    Backdoor/Trojan Behavior

  • Blocks access to the following security-related websites:

    • www.symantec.com
    • securityresponse.symantec.com
    • symantec.com
    • www.sophos.com
    • sophos.com
    • www.mcafee.com
    • mcafee.com
    • liveupdate.symantecliveupdate.com
    • www.viruslist.com
    • viruslist.com
    • www.f-secure.com
    • f-secure.com
    • kaspersky.com
    • kaspersky-labs.com
    • www.avp.com
    • avp.com
    • www.kaspersky.com
    • www.networkassociates.com
    • networkassociates.com
    • www.ca.comca.com
    • mast.mcafee.com
    • www.my-etrust.com
    • my-etrust.com
    • download.mcafee.com
    • dispatch.mcafee.com
    • secure.nai.com
    • www.nai.com
    • nai.com
    • update.symantec.com
    • updates.symantec.com
    • us.mcafee.com
    • liveupdate.symantec.com
    • customer.symantec.com
    • rads.mcafee.com
    • www.trendmicro.com
    • trendmicro.com
    • www.grisoft.com
    • grisoft.com

  • Attempts to kill the following processes:

    • bbeagle.exe
    • d3dupdate.exe
    • i11r54n4.exe
    • irun4.exe
    • msblast.exe
    • msblast.exe
    • mscvb32.exe
    • navapw32.exe
    • navw32.exe
    • netstat.exe
    • outpost.exe
    • pandaavengine.exe
    • penis32.exe
    • rate.exe
    • ssate.exe
    • sysinfo.exe
    • sysmonxp.exe
    • taskmon.exe
    • teekids.exe
    • wincfg32.exe
    • winsys.exe
    • winupd.exe
    • zapro.exe
    • zonealarm.exe

Recommended Action

    FortiGate systems:
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option