MyDoom Update

MyDoom Update

From Nasty to Nastier: MyDoom.F Deletes Word, Excel Files

24 February 2004

A harsh new variant of the MyDoom worm, dubbed MyDoom.F, appeared late Friday but at first spread slowly. Yesterday, anti-virus vendors McAfee and Symantec raised their alert levels for MyDoom.F, which has finally gathered enough traction to spread in earnest. Our previous alerts on MyDoom and MyDoom.B detailed defensive countermeasures you can apply, but you should be aware of dangerous new wrinkles in version F of this persistent pest.

General Description

Like its predecessors, MyDoom.F spreads using its own SMTP engine and by copying itself to shared drives. It contains a backdoor component and on certain dates attempts a Denial of Service attack (this time, on Microsoft and on the RIAA). Anti-virus vendors have identified 60 different Subject lines it uses (see the complete list on F-Secure's site). The body can be any of 27 variations, each of them fewer than 13 words (McAfee's complete list is here). The attachment uses one of 46 known names (specified in Sophos' description).

Dangerous Differences from Earlier Variants

So what's new and worth your attention? MyDoom.F now:

Contains a destructive payload. MyDoom.F deletes a seemingly random selection of Word documents, image, audio and video files, and Excel spreadsheets. Specifically, it searches for files with the extensions .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp on the %System% folder on drives C to Z, whether the drive is a hard disk, remote drive, or RAM drive. It deletes some of the files; one source described it as "randomly deletes," another claimed, "40 percent of the time."

Tries to turn off some anti-virus software. Specifically, MyDoom.F terminates processes whose name contains certain character strings, including "norton" and " mcafe." (For the complete list of process names it terminates, see this Symantec alert.) Oddly, MyDoom.F plays favorites: it avoids email addresses including the strings "sopho," "panda," and "syma," apparently trying to avoid anti-virus makers Sophos, Panda, and Symantec.

Disguises its file type. Though MyDoom.F most commonly arrives as a ZIP attachment, its icon looks like a text file. This is sure to fool some of your users, who feel confident that text files are harmless. Some iterations of MyDoom.F use double extensions. What the users sees appears as a harmless file type (such as .txt or .html), but after the first benign-looking file type, the name can contain 40 to 159 spaces before ending in its real (malicious) file type (such as .exe, .pif, or .scr).

Can arrive as a .com file. In addition to the file types we've described to you before, MyDoom.F adds .com to the types of extensions it uses. Thus, the complete list of file types it uses is now: .pif, .scr, .exe, .cmd, .com, .bat, or .zip. Please refer to our past alerts if you use Firebox models II, III, or X and need instructions on how to use the SMTP Proxy to strip away .com files. The proxy's default configuration strips .com, so you might not need to make any adjustments.

Listens on port TCP 1080 and 3000 ~ 5000. If the worm successfully infects a machine, it tries to open port 1080, where it listens for further instructions from its author (who identifies himself in MyDoom.F's code as "Irony.") According to McAfee, MyDoom.F also opens a range of other ports varying between 3000 ~ 5000. WatchGuard firewalls block these ports by default. Thorough administrators should check any custom services they've made to verify that they haven't opened these ports unnecessarily. (Note to SOHO users: if you feel unsure about what ports you've opened, try reading the recent LiveSecurity explanation of how to implement SOHO 6 egress filtering. Probably, you don't need to adjust your SOHO, but you'll derive peace of mind from understanding how the SOHO works.)

Does not expire. Unlike previous versions, MyDoom.F is not coded with a suicide date, when the worm is programmed to deactivate itself. MyDoom.F will remain active in a computer until it is removed .

May resurrect after removal. If you use Windows XP or ME, removing the worm superficially will not prevent it from reinfecting a system. Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file and can be invisible to some virus scanners. To disable this System Restore function, refer to McAfee's instructions.

For two years, we've wondered why today's rapid-spreading, multi-threaded worms haven't been more destructive than what we've seen so far. MyDoom.F ushers in what experts have long anticipated: a worm that attempts not merely to spread, but also to destroy your data. Rest assured that the LiveSecurity Service will update you whenever MyDoom changes significantly.
 

References:

Description of MyDoom.F from Wired (suitable for interested executives)

Original LiveSecurity MyDoom alert

LiveSecurity alert on MyDoom.B
Remedies are the same as for MyDoom.F, except add .com as a possible file type and TCP port 1080 as a port to block.

McAfee description of MyDoom.F

Symantec description of MyDoom.F

Symantec MyDoom Removal Tool

Credits: Researched and written by Scott Pinzon.