An Update On:
MyDoom
MyDoom's First Victims
Help Spread New MyDoom.B
28 January 2004
Since our 26 January alert, we've learned new important facts about MyDoom,
including the fact that a new variant, MyDoom.B, is spreading, and seems to use
the original MyDoom.A victims' machines as a launchpad.
MyDoom.A Updates
New facts that should help you recognize and prevent MyDoom.A:
- In our first
alert, we only knew that MyDoom used random filenames with .EXE, .BAT,
.SCR, .PIF, .CMD and .ZIP extentions. Since then, McAfee has released a list
of filenames that the virus chooses from. MyDoom's attachment begins with one
of these names (and ends with one of the previously described extensions):
- doc
- document
- message
- readme
- text
- hello
- body
- test
- data
- file
Sometimes MyDoom inserts a second extension, such as .TXT or .HTM, in
between the random filename and extension. In these cases, there may be many
spaces after the first extension in order to fool you into thinking the file
is harmless (e.g., document.htm [lots of whitespace] .exe).
- If MyDoom infects one of your computers, MyDoom's back door code attempts
to open one port within a range of TCP ports (not only 3127, as we first
described). The worm starts by attempting to listen on TCP port 3127, but if
it fails to open, MyDoom tries the next sequential port. It continues down a
range of ports until it either succeeds in opening one, or reaches TCP port
3198. The good news is that MyDoom only listens on these ports rather
than attempting to make an outgoing connection. All WatchGuard firewalls block
ports 3127 through 3198 by default, so even if you become infected, MyDoom's
author cannot reach your computer unless you have added a custom service
allowing any of the ports within this range.
Anti-virus experts surmise
that MyDoom's author has sent instructions to the victim machines listening on
these ports, using them as unwitting email relays to launch MyDoom.B. This is
why MyDoom.A victims are perceived as stepping stones for the spread of
MyDoom.B.
- Many of our readers have expressed concern because they are receiving
numerous "Undeliverable Message" notifications, or messages from contacts and
partners informing them that a computer on their network has tried to send a
virus. This is a result of MyDoom spoofing its
"From" address. Many anti-virus products can automatically reply to the
address found in the "From" field of an infected e-mail, attempting to inform
the supposed sender that they are infected with a virus. Because MyDoom spoofs
its sender, you might have received such automated responses saying you are
infected even when you are not. You can simply ignore such notifications. If
you are contacted by a partner directly, you can explain to them that MyDoom
lies about its sender, and anti-virus measures may claim an infected email has
come from your network even when it has not.
MyDoom.B Description
On the surface, MyDoom.B looks very much like the original.
According to McAfee,
the virus still spoofs the sender's address, uses the same random Subjects, and
the same random attachments. MyDoom.B does use a few new possibilities for its
message body:
- sendmail daemon reported:
Error #804 occured during SMTP session.
Partial message has been received.
- Mail transaction failed. Partial message is available.
- The message contains Unicode characters and has been sent as a binary
attachment.
- The message contains MIME-encoded graphics and has been sent as a binary
attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
As we write this, unconfirmed threads on vulnerability lists we monitor
indicate you might encounter other subjects and text bodies in MyDoom.B.
MyDoom.B contains a few new tricks. First, this variant attempts a Denial of
Service (DoS) attack against Microsoft, where MyDoom.A attacked SCO. Also,
MyDoom.B makes numerous changes to your computer's HOSTS file. The HOSTS file is
a local file that your computer refers to, before its DNS
server, looking for the IP address associated with a URL. MyDoom.B adds many
false entries into this file for anti-virus and security information sites. This
effectively prevents your computer from finding those sites so you can't get new
information about the new MyDoom variant.
The solution section from our original alert still contains valid
instructions for blocking MyDoom.B's attachments. However, our previous alert
also recommended all WatchGuard firewall owners create a service specifically
blocking TCP port 3127 both incoming and outgoing. We have since learned that
the viruses can use between 3127-3198 and only listens on one
of those ports. Since the backdoor is only listening, you do not have to make a
service specifically blocking outgoing connections on these ports. By default,
all WatchGuard firewalls will block incoming TCP port 3127-3198 and prevent the
virus author from connecting to MyDoom's backdoor.
References:
McAfee
description of MyDoom.B
Original
LiveSecurity MyDoom Alert
Credits: Researched and written by Corey
Nachreiner.
