Virus

W32/MyDoom.BJ@mm

Analysis

This variant of MyTob is very similar to existing variants in that it is coded using Visual C, and contains instructions to spread to other systems using SMTP email.

If the threat is run manually, it will open Notepad with "garbage" text, in a seemingly random pattern from a text file written to the undefinedTempundefined folder as "message.txt". This is common with MyDoom variants and is a distraction to what is going on in the background. While the user is attempting to interpret what the characters might mean, the virus copies itself to the hard drive, loads into memory and performs its coded functions.

The virus also has the following characteristics -

  • function as a backdoor Trojan
  • steal logon passwords to an online financial institution based in China
  • copy itself to the share folder for the P2P app Kazaa

Loading at Windows startup
The virus will copy itself to the local system -

c:\WINNT\system32\svch0st.exe (362,016 bytes)
c:\WINNT\system32\WINLOG0N.EXE (435,232 bytes)
c:\WINNT\system32\wxapi.dll (37,888 bytes)

The virus will register itself to load at Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Systems" = C:\WINNT\System32\svch0st.exe
"WINLOG0N" = C:\WINNT\System32\WINLOG0N.EXE

Password Stealing Routine
The virus monitors access to the following web site -

https://mybank.icbc.com.cn/icbc/perbank/index.jsp

Logon credentials for this site are captured and emailed to the address 'trgonbonb@163.pbz' (presumably to the author of the password stealing code) using a built-in SMTP engine within the virus. The virus contains this string that is never displayed, near the password stealing code -

GET-Taobao And Bank For Svch0st

Kazaa Share Routine
The virus will use the registry to locate the share folder for the peer-to-peer application Kazaa and copy itself there as any or all of the following file names -

office_sn
do_love_photo
strip-girlsex_movies
gril_photo
MSN2005-final
winamp6

SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files of certain extensions. This virus appears to have borrowed the same harvest and exclusion routines as found in the W32/Mydoom virus family. Email addresses are sampled from files having these extensions -

  • wab
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • txt

The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings. The email message is crafted using hard-coded values stored in the encrypte virus body. The "From" address is spoofed and could contain any of the following names as a prefix to the email address -

sandra@
linda@
julie@
jimmy@
jerry@
helen@
debby@
claudia@
brenda@
anna@
alice@
brent@
adam@
ted@
fred@
jack@
bill@
stan@
smith@
steve@
matt@
dave@
dan@
joe@
jane@
bob@
robert@
peter@
tom@
ray@
mary@
serg@
brian@
jim@
maria@
leo@
jose@
andrew@
sam@
george@
david@
kevin@
mike@
james@
michael@
alex@
john@

The virus carries hard-coded subject lines and message bodies, and sends email with varying texts.

The possible subject lines are selected from these choices -

  • Do love
  • What doy you feel like doing tonight honey?
  • do love photo
  • I love you more than the stars above.
  • Do you love me?
  • Honey,our do love
  • please give me a kiss
  • my photo

The possible body text are selected from these choices -

If I marry you,there are going to be some ground rules.

Sweetheart, i love you more than i can say!

I love you more than the stars above.

Give more photo of my.

The possible file names of the email attachment are any of the following, and may have a .ZIP file extension -

  • youbody
  • youmessage
  • youtest
  • youdata
  • youfile
  • youtext
  • youdoc
  • dolove
  • photo

Miscellaneous
When the virus is running in memory, it has the following Mutex associated with it -

Winwebrenlanq0

Recommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
    FortiClient systems:
  • Quarantine/Delete infected files detected