Virus Warning! MyDoom.AH Worm

hevnsnt

Lifer
Mar 18, 2000
10,868
1
0
http://vil.nai.com/vil/content/v_129631.htm

This W32/Mydoom@MM variant makes use of a zero day attack targeting a Microsoft Internet Explorer IFRAME buffer overflow vulnerability . It is very similar to W32/Mydoom.ag@MM .

The virus spreads by sending email messages to addresses found on the local system. The message appears as follows:

From: Spoofed address
Subject: (case may vary)

* hi!
* hey!
* Confirmation
* blank

Body:

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this link .

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

or

Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam photos!
See you!

The mail header may contain one of the following fields:

* X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
* X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
* X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

There is no attachment to the message. The homepage or link hyperlink points to the infected system which sent the email message. Clicking on the link, accesses a web server running on the compromised system. The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus

Infected systems will show Windows Explorer listening on TCP Port 1639, the port the web server runs on.

When a user follows a hyperlink sent by the virus, they are connected with the infected computer (http:// IP address:1639/index.htm). The webcam.htm page that is served results in a buffer overflow from occuring in Internet Explorer. Shell code then executes, which instructs the local machine to download a remote file (http:// IP address:1639/reactor) and save it to a local file %desktop%\vv.dat and then execute the downloaded file.
Top of Page

Symptoms

When run, the virus creates a file in the WINDOWS SYSTEM (%WinDir%\system32) directory with a random filename that ends in 32.exe. A registry run key is created to load the virus at system startup, such as:

*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run "Reactor3" = C:\WINDOWS\System32\heztiv32.exe

Other registry keys are also created:

* HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Explorer\ComExplore
* HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Explorer\ComExplore\Version
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Explorer\ComExplore
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Explorer\ComExplore\Version

The worm contains a list of IRC servers, which it attempts to connect to on TCP port 6667:

* qis.md.us.dal.net
* ced.dal.net
* viking.dal.net
* vancouver.dal.net
* ozbytes.dal.net
* broadway.ny.us.dal.net
* coins.dal.net
* lulea.se.eu.undernet.org
* diemen.nl.eu.undernet.org
* london.uk.eu.undernet.org
* washington.dc.us.undernet.org
* los-angeles.ca.us.undernet.org
* brussels.be.eu.undernet.org
* caen.fr.eu.undernet.org
* flanders.be.eu.undernet.org
* graz.at.eu.undernet.org

Top of Page

Method Of Infection
Like other Mydoom variants, this virus harvests email addresses from the local system and spams those addresses with email messages. Unlike earlier variants, the infectious messages do not contain an attachment, but rather a hyperlink directing people to an infected machine. Following the hyperlink results in an infection occurring on the target victim's system, if they are running a vulnerable Microsoft Internet Explorer web browser.
 

KLin

Lifer
Feb 29, 2000
29,919
363
126
virus writers have a special place to rot in hell :thumbsdown::|
 

CraigRT

Lifer
Jun 16, 2000
31,440
5
0
I dunno what is with my work, but we are getting Spybot worms like crazy, I haven't seen nearly any other virus in recent years, but Spybot seems to be on more than half the XP/2000 PC's in the place! and it can be a pain to remove too!

:thumbsdown:
 

hevnsnt

Lifer
Mar 18, 2000
10,868
1
0
Originally posted by: CraigRT
I dunno what is with my work, but we are getting Spybot worms like crazy, I haven't seen nearly any other virus in recent years, but Spybot seems to be on more than half the XP/2000 PC's in the place! and it can be a pain to remove too!

:thumbsdown:

Uh, what? Spybot is a Spyware removal app.. Maybe you mean R-Bot.. (bot net)
 

tooltime

Golden Member
Oct 26, 2003
1,029
0
0
i have read running dual antivirus programs is good...like avg and trend micro pc cillin
 

neonerd

Diamond Member
Apr 24, 2003
8,746
1
0
thx for the warning...for those running AMD 64's you are safe, because of the on-chip virus protection preventing from buffer overflows :)
 

SagaLore

Elite Member
Dec 18, 2001
24,036
21
81
Originally posted by: hevnsnt
http://vil.nai.com/vil/content/v_129631.htm

This W32/Mydoom@MM variant makes use of a zero day attack targeting a Microsoft Internet Explorer IFRAME buffer overflow vulnerability.

There is no attachment to the message. The homepage or link hyperlink points to the infected system which sent the email message. Clicking on the link, accesses a web server running on the compromised system. The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus

That is a neat tactic.

 

SagaLore

Elite Member
Dec 18, 2001
24,036
21
81
Originally posted by: KLin
virus writers have a special place to rot in hell :thumbsdown::|

I'm sure it will have something to do with trojans, worms, and lots of spam. :eek:

 

CraigRT

Lifer
Jun 16, 2000
31,440
5
0
Originally posted by: hevnsnt
Originally posted by: CraigRT
I dunno what is with my work, but we are getting Spybot worms like crazy, I haven't seen nearly any other virus in recent years, but Spybot seems to be on more than half the XP/2000 PC's in the place! and it can be a pain to remove too!

:thumbsdown:

Uh, what? Spybot is a Spyware removal app.. Maybe you mean R-Bot.. (bot net)

I mean this:

http://securityresponse.symant...a/w32.spybot.worm.html
 

oldman420

Platinum Member
May 22, 2004
2,179
0
0
Originally posted by: SagaLore
Originally posted by: deathkoba
Viruses? Trojans? Whut? A Mac is immune. Get one for the best possible computing experience.

Macintosh Viruses

:eek:

Want a virus free computer? Run an AS/400. :p
we run as 400 at work np.

If the hackers wanted too they could write a virus for any os.
Our best bet is good av software and carefull computing

 

Jeff7

Lifer
Jan 4, 2001
41,596
19
81
Yay, I feel special!!! I was sent this virus recently!:D:D:D

AV software found it right away and ended its brief stay here. If only the AV software could send a powerful blast back to the writer's system, altering the nerves in his/her hands, making typing excruciatingly painful.