Hysterical first technical alert from US-CERT

From: Larry Seltzer (larry_at_larryseltzer.com)
Date: 02/03/04

  • Next message: Andrew Harwood: "RE: MS to stop allowing passwords in URLs" 
    To: <bugtraq@securityfocus.com>
Date: Tue, 3 Feb 2004 07:11:49 -0500

    I just got the alert below from US-CERT. It's one of the new lists they started. Some
    things about it bother me.

    First, it's dated 1/28, the day MyDoom.B was discovered, and the message sent field says
    that too; other dates in the headers disagree.

    Second, and more to the point, it takes an extreme view of MyDoom.B that nobody else is
    supporting, including the sources they cite. MyDoom.B is a flop.

    Am I misreading something? Did anyone else get this on 1/28?

    Larry Seltzer
    eWEEK.com Security Center Editor
    http://security.eweek.com/
    larryseltzer@ziffdavis.com

    -----Original Message-----
    From: CERT Advisory [mailto:cert-advisory@cert.org]
    Sent: Wednesday, January 28, 2004 7:12 PM
    To: US-CERT Community:
    Subject: US CERT Technical Alert TA04-028A MyDoom.B Rapidly Spreading

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    MyDoom.B Rapidly Spreading

       Mydoom.B is a new variant of the Mydoom worm and is about 29,184
       bytes. This variant attempts to perform a Distributed Denial of
       Service (DDoS) attack against Microsoft.com. Details regarding this
       new worm are still emerging, but it has been validated as spreading in
       the wild. Facts about the worm will be further qualified with follow
       up reports following this initial analysis.

       For the latest information about this worm from US-CERT, readers are
       encouraged to visit http://www.us-cert.gov/cas/techalerts/TA04-028A.html.

       E-mails sent out by Mydoom.B are highly randomized. The From address
       may be spoofed to include one of the following domains: aol.com,
       msn.com, yahoo.com and hotmail.com. A randomized string value may then
       be combined with these to generate new e-mails. This may result in
       overload e-mail servers with many false addresses and auto-replies
       associated with such traffic.

       The subject is randomized to include one of the following
       following:

         * Delivery Error
         * hello
         * Error
         * Mail Delivery System
         * Mail Transaction Failed
         * Returned mail
         * Server Report
         * Status
         * Unable to deliver the message

       The subject may also contain randomized data as seen in a recent live
       sample: "RE: I still love you fLctv".

       The message body is also randomized to include one of the
       following:

         * RANDOMIZED CHARACTERS
         * test
         * The message cannot be represented in 7-bit ASCII encoding and has
           been sent as a binary attachment.
         * sendmail daemon reported: Error #804 occured during SMTP session.
           Partial message has been received.
         * The message contains Unicode characters and has been sent as a
           binary attachment.
         * The message contains MIME-encoded graphics and has been sent as a
           binary attachment.
         * Mail transaction failed. Partial message is available.

       The attachments have a randomized filename selected from one of the
       following string values:

         * body
         * doc
         * text
         * document
         * data
         * file
         * readme
         * message

       The randomized string value is then combined with a randomized
       extension: .exe, .bat, .scr, .cmd or .pif. If the malicious attachment
       is executed, it then opens notepad.exe and displays garbled data
       (binary).

       Once executed, the worm attempts to create the following files in the
       Windows System directory: explorer.exe and dtfmon.dll. The Windows
       registry is then modified to run the worm in memory upon Windows
       startup:

         HKLM\Software\Microsoft\Windows\CurrentVersion\Run
         Explorer=C:WINDOWS SYSTEM DIRECTORY\explorer.exe

       The DLL component is associated with a backdoor feature of this worm.
       It is likely that this Trojan worms like the one in Mydoom.A. It scans
       through a range of TCP addresses looking for inbound TCP traffic.
       Inbound TCP traffic can be used to configure the infected computer as
       a proxy computer or to install code of choice on the infected
       computer. More importantly, attackers are already working on tools to
       hijack Mydoom infected computers to install code of choice.

       The DDoS attack of Mydoom.B is against www.microsoft.com. There is
       information claiming that it may also be directed at sco.com, but this
       is unsubstantiated at this time. It appears that the more credible
       data is that it only performs a DDoS attack against www.microsoft.com,
       though a previosu version of the virus is confirmed to attack SCO.

       To spread over the KaZaA P2P network, Mydoom.B creates copies of
       itself in the KaZaA shared directory with randomized filenames.
       Filenames include:

         * attackXP-1.26
         * BlackIce_Firewall_Enterpriseactivation_crack
         * MS04-01_hotfix
         * NessusScan_pro
         * icq2004-final
         * winamp5
         * xsharez_scanner
         * zapSetup_40_148

       A randomized extension is then added to the filename selected above,
       being .exe, .scr, .pif or .bat.

       Mydoom.B attempts to harvest e-mails from Temporary Internet files as
       well as via randomized e-mails aforementioned. It does not include any
       e-mails containing the following strings: abuse, accoun, certific,
       listserv, ntivi, icrosoft, admin, page, the.bat, gold-certs, feste,
       submit, help, service, privacy, somebody, soft, contact, site, rating,
       bugs, your, someone, anyone, nothing, nobody, noone, webmaster,
       postmaster, support, samples, info, root, ruslis, nodomai, mydomai,
       example, inpris, borlan, nai., sopho, foo., .mil, gov., .gov, panda,
       icrosof, syma, kasper, mozilla, utgers.ed, tanford.e, acketst, secur,
       isc.o, isi.e, ripe., arin., sendmail, rfc-ed, ietf, iana, usenet,
       fido, linux, kernel, google, ibm.com, fsf., mit.e, math, unix,
       berkeley and spam.

       Mydoom.B also opens TCP port 10080. The worm contains the following
       string: "sync-1.01; andy; I'm just doing my job, nothing personal,
       sorry".

       Alias: Mydoom, Novarg, Mydoom.B

       Sources:

         F-Secure Corp. (http://www.f-secure.com/v-descs/mydoom_b.shtml),
         Jan. 28, 2004

         Bit Defender
         (http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=186),
         Jan. 28, 2004

         iDEFENSE Intelligence Operations, Jan. 28, 2004 Sensible Security
         Solutions Inc. (http://www.sss.ca/), Jan. 28, 2004

       According to iDEFENSE, this new variant of Mydoom appears to have
       different MIMI data for malicious e-mails. The content type appears to
       be plain text and includes a ZIP extension. Mydoom.A had a content
       type of application/octet-stream and multipart/mixed data. It is
       likely that this newest variant of Mydoom will become very widespread
       in the wild. The first variant had well over 3M interceptions by just
       two sources in the first 18 hours of the outbreak.

       Look for questionable files about 29,184 bytes. Look for notepad.exe
       to be opened, displaying binary data (garbled text). Also look for the
       Windows registry created by the worm.

       Recovery: Remove all files and the Windows registry key modifications
       associated with this malicious code threat. Restore corrupted or
       damaged files with clean backup copies.

       Workaround: Configure e-mail servers and workstations to block file
       types commonly used by malicious code to spread to other computers.
       Block ZIP and executable extensions on the gateway and groupware
       level. Also monitor traffic on the network and block ports associated
       with Mydoom, especially inbound TCP ports for the backdoor Trojan
       component and the outbound TCP 10080 port data. Administrators may
       also find value in monitoring traffic associated with the DDoS
       component. Carefully manage all new files, scanning them with updated
       anti-virus software using heuristics prior to use.

       Vendor Fix: Anti-virus vendors will likely release updated signature
       files to protect against this malicious code in the near future. Some
       anti-virus applications may detect this malicious code heuristically.

         Name of Malicious Code: Mydoom.B
         Aliases:
         Mydoom.B
         Mydoom
         Novarg
         Size in Bytes: 29184
         Subjects: RE: I still love you fLctv
         Body: Error 551: We are sorry your UTF-8 encoding is not supported
         by the server, so the text was automatically zipped and attached to
         this message.
         Attachments: message.zip

       This document was developed based on material contributed by iDEFENSE.
       Our thanks for their contribution.

                           Last updated January 28, 2004
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQFAGEufXlvNRxAkFWARAjEOAJ92cfCtcUVX+/6CGoRwGj7mIbxhzQCg0mdJ
    /ip1ThurA7opfYb0JUET2UI=
    =j+iB
    -----END PGP SIGNATURE-----

  • Next message: Andrew Harwood: "RE: MS to stop allowing passwords in URLs"