Several High-Level Worm Threats Reported

By CIO Update Staff

(Back to article)

Several security vendors have issued emergency, high outbreak alerts for W32/MyDoom-A, a worm that travels by email and are warning systems administrators around the world to ensure their systems are protected.

According to Sophos, the worm harvests email addresses from a hard disk and uses randomly-chosen addresses for both the "to" and "from" fields. This means that the "from" address is spoofed and does not tell you where the mail really came from.

W32/MyDoom-A arrives in emails with the following characteristics:

Subject lines include:
mail delivery system
mail transaction failed
server report
[random collection of characters]

Attachment names include:
[random collection of characters]

Attachment extensions:

W32/MyDoom-A attaches itself to emails in either EXE (Windows program) or ZIP (Zip archive) format.

W32/MyDoom-A drops itself to a System folder under the name taskmon.exe. W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on a computer.

W32/MyDoom-A adds the value:

Taskmon = taskmon.exe

to the following registry key:


This means that W32/MyDoom-A loads every time a users logs on to their computer.

Instructions for removing worms are at this Sophos page.

MessageLabs is also reporting it has intercepted a high number of copies of the worm, which it recognizes as W32/Mydoom.A-mm.

The first intercepted copy came from Russia, the vendor reports.

W32/Mydoom.A-mm is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa.

The worm harvests addresses from infected machines and targets files with the following extensions:
.wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt.

W32/Mydoom.A-mm also tries to randomly generate or guess likely email addresses to send itself to.

In addition, initial analysis suggests that Mydoom opens a connection on TCP port 3127, an indication of a remote access component.

Email characteristics:
From: Random, spoofed email address
Subject: Random
Text: Various, including:

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.
  • Attached file: Various,extensions including .exe, .pif, .cmd, .scr. The attachment often arrives in a zip archive, and is also represented by what appears to be a text file icon, but is in fact an executable.

    For more information visit this Messagelabs page.

    According to Network Associates, W32/Mydoom@MM copies itself to the KaZaa Shared Directory with the following filenames:

  • nuke2004
  • office_crack
  • rootkitXP
  • strip-girl-2.0bdcom_patches
  • activation_crack
  • icq2004-final
  • winamp

    The worm opens a connection on TCP port 3127 suggesting remote access capabilities.

    On the first system startup on Feb. 2nd or later, the worm changes its behavior from mass mailing to initiating a denial of service attack against the sco.com domain. This denial of service attack will stop on the first system startup of Feb. 12th or later, and thereafter the worm's only behavior is to continue listening on TCP port 3127.

    More information is at this Network Associates page.

    Novarg.A@mm Sets Up Backdoor Into System Upon Infection

    Symantec has also issued a high threat alert for W32.Novarg.A@mm, a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

    When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.

    The worm will perform a DoS starting on Feb. 1, 2004. It also has a trigger date to stop spreading on Feb. 12, 2004.

    Technical details are at this Symantec page.

    Mimail Variants Also a High Threat

    Vendors are also reporting the appearance of the new Mimail.Q (W32/Mimail.Q.worm) worm. This new variant is very similar to its predecessors and according to data collected by Panda Software's international support network, has already caused some incidents.

    Mimail.Q spreads via e-mail and its most dangerous effect is that it has been designed to try to steal confidential data. It does this using a form that simulates a form belonging to Microsoft warning the user that the Windows license has expired.

    Mimail.Q reaches computers in an e-mail message with an extremely variable sender, subject, message body and attachment. An example of the characteristics of an e-mail message carrying this worm is the following:

    Subject: very nice picture

    Good evening Ella
    I shocked
    My boss had best sex last evening with the mom of Jeremy!
    I turned on my hp device and make cool pictures!
    Please don't show it to somebody, I rely on you.

    Attachment: privateimgs.gif.exe

    The attached file is polymorphic and actually contains a dropper. When this file is run, it installs Mimail.Q on the computer in a file called outlook.exe.

    When it has been installed on a computer, Mimail.Q looks for e-mail addresses to send itself to in different types of files. It stores the addresses it finds in a file called outlook.cfg.

    Mimail.Q also tries to steal confidential information from affected computers. In order to do this, it displays a fake form that warns users that their Windows license has expired, and prompts them to renew it. This form requests personal data including a credit card number, its expiration date and its PIN.

    Finally, the worm creates an entry in the Windows Registry to ensure that it is run whenever the affected computer is started up.

    Due to the possibility of being infected by Mimail.Q, Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions if they haven't already done so.

    For the full list of characteristics, visit Panda Software's Virus Encyclopedia here.

    According to Sophos, the W32/Mimail-Q worm spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named outlook.cfg in the Windows folder.

    The email can arrive with random properties which are built up from extensive lists contained within W32/Mimail-Q.

    W32/Mimail-Q creates fake a Microsoft Web page in the root folder named MSHOME.HTA in order to steal personal information. This page is displayed when W32/Mimail-Q is executed and prompts the user to enter credit card and other personal information.

    Several files are dropped into C:\ and can be deleted:

    In order to run automatically when windows starts up the worm copies itself to the file sys32.exe in the Windows folder and sets the registry entry:
    pointing to this file.

    The worm also drops the file outlook.exe into the Windows folder.

    W32/Mimail-Q displays a fake error message:
    ERROR: Bad CRC32
    when run.

    Instructions for removing worms are at this Sophos page.

    According to Symantec, W32.Mimail.Q@mm is polymorphic in nature and is similar to W32.Mimail.A@mm. The worm creates a polymorphically modified version of itself as Sys32.exe and a static version of itself as Outlook.exe, which Symantec previously detected as W32.Mimail.Gen.

    The worm attempts to send itself by email to the email addresses found on the system. The message body and subject lines can vary.

    The worm may also display a dialog box prompting a user for personal information to steal e-gold account information, and attempt to steal other system information.

    Find out more at this Symantec page.

    Trend Micro has declared a yellow or medium-level alert to control the spread of WORM_MIMAIL.R.

    This mass-mailing worm selects from a list of email subjects, message bodies, and attachment file names for its email messages. It spoofs the sender name of its messages so that they appear to have been sent by different users instead of the actual users on infected machines.

    It can also propagate using the Kazaa peer-to-peer file sharing network.

    It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is Feb. 1, 2004 or later. It ceases attacking the site and running most of its routines on Feb. 12, 2004.

    It runs a backdoor component, which it drops as the file SHIMGAPI.DLL. The backdoor component opens port 3127 to 3198 to allow remote users to access and manipulate infected systems. Note that it allows remote access even after Feb. 12, 2004.

    This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

    Technical details are at this Trend Micro page.

    Dumaru Variants Continue to Wreak Havoc

    McAfee has upgraded the risk assessment of W32/Dumaru.y@MM to Medium from Low-Profiled. This is due to increased prevalence.

    On Sunday, the vendor reported a new minor variant of this worm was received, W32/Dumaru.z@MM. W32/Dumaru.z@MM is very similar to the y variant, the major differences being:
    --Filesize: approx 14,550 bytes
    --File download: this variant is intended to download a remote file (URL hard-coded in body). This remote file may change, but at the time of writing it was a variant of W32/Spybot.worm. This is written to disk as %SysDir%\NVIDIA32.EXE. This is detected as W32/Spybot.worm.gen with the 4288 DATs or greater.

    The email message constructed is identical to that for the y variant.

    Find out more at this Network Associates page.

    And Sophos has now issued an alert for W32/Dumaru-K, which it reports is an email worm, a password stealing Trojan and a downloader for an IRC backdoor Trojan. W32/Dumaru-K arrives in an email with the following characteristics:

    Subject line: Important information for you. Read it immediately!
    Message text: Here is my photo, that you asked for yesterday.
    Attached file: myphoto.zip

    The email addresses that this email is mass-mailed to are harvested from files with the following extensions and then saved to the file winload.log in the Windows folder:

    When W32/Dumaru-K is run the following copies will be created:

    The following registry entries are created with references to these copies of the worm:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = l32x.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    = explorer C:\\vxd32v.exe

    More information is at this Sophos page.

    --Compiled by Esther Shein