Home / malwarePDF  

Win32.MyDoom.AH@mm, Win32.MyDoom.AG@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.MyDoom.AH@mm, Win32.MyDoom.AG@mm is also known as Mydoom.

Explanation :

This version of the MyDoom worm uses the Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515) beside the mass mailing spreading routines.

This is how the buffer overflow vulnerability gets exploited:
The worm comes in e-mail messages; these e-mail messages may contain links to

"FREE ADULT VIDEO! SIGN UP NOW!"

or

"Look at my homepage with my last webcam photos!"

or

"Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be shipped
within three business days. To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
an automated message system and the reply will not be received.

Thank you for using PayPal."

or

"Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam
photos!"

When the user clicks on the links, it is redirected to a HTML page; this HTML page exploits the Internet Explore IFRAME vulnerability, so a malicious shellcode gets executed; this shellcode downloads a copy of the MyDoom virus on the vulnerable computer and executes it.

When executed, it deletes the following registry values from the registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

center

eactor
Rhino
Reactor3
Reactor4

Creates a file (with a random filename) under the Windows system folder.

adds the value "Reactor5" under HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun,
that points to that specific file. This way the virus gets automatically executed at every system startup.

It attempts to find the window Shell_TrayWnd, and attempts to create a malicious thread inside the process that owns that window (tipically Explorer.exe).

If it cannot find the window Shell_TrayWnd, the worm gets a handle to the foreground window and attempts to inject itself in the process that owns the window.

In the remote thread, it attempts to load the needed libraries. It creates the Mutex "Load5" to avoid further executions.

[IRC Thread]

The virus has its own trivial IRC client, and attempts to connect to one of the following
IRC Servers:

"flanders.be.eu.undernet.org"
"caen.fr.eu.undernet.org"
"brussels.be.eu.undernet.org"
"los-angeles.ca.us.undernet.org"
"washington.dc.us.undernet.org"
"london.uk.eu.undernet.org"
"diemen.nl.eu.undernet.org"
"lulea.se.eu.undernet.org"
"broadway.ny.us.dal.net"

[Mail Thread]

This is a mass-mailing worm; it attempts to find valid e-mail addresses in files with the extension "wab", "pl", "adb", "tbb", "dbx", "asp", "php", "sht", "htm", "txt".

The "from" field spoofed (randomly chosen from a list inside the virus body).

The worm also contains a "X-Antivirus" field in the e-mail headers:
"scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)"
or
"Checked for viruses by Gordano's AntiVirus Software Checked by Dr.Web (http://www.drweb.net)"

Last update 21 November 2011

 

TOP