http://vil.nai.com/vil/content/v_129631.htm
This W32/Mydoom@MM variant makes use of a zero day attack targeting a Microsoft Internet Explorer IFRAME buffer overflow vulnerability . It is very similar to W32/Mydoom.ag@MM .
The virus spreads by sending email messages to addresses found on the local system. The message appears as follows:
From: Spoofed address
Subject: (case may vary)
* hi!
* hey!
* Confirmation
* blank
Body:
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.
To see details please click this link .
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
or
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
The mail header may contain one of the following fields:
* X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
* X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
* X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software
There is no attachment to the message. The homepage or link hyperlink points to the infected system which sent the email message. Clicking on the link, accesses a web server running on the compromised system. The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus
Infected systems will show Windows Explorer listening on TCP Port 1639, the port the web server runs on.
When a user follows a hyperlink sent by the virus, they are connected with the infected computer (http:// IP address:1639/index.htm). The webcam.htm page that is served results in a buffer overflow from occuring in Internet Explorer. Shell code then executes, which instructs the local machine to download a remote file (http:// IP address:1639/reactor) and save it to a local file %desktop%\vv.dat and then execute the downloaded file.
Top of Page
Symptoms
When run, the virus creates a file in the WINDOWS SYSTEM (%WinDir%\system32) directory with a random filename that ends in 32.exe. A registry run key is created to load the virus at system startup, such as:
*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run "Reactor3" = C:\WINDOWS\System32\heztiv32.exe
Other registry keys are also created:
* HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Explorer\ComExplore
* HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Explorer\ComExplore\Version
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Explorer\ComExplore
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Explorer\ComExplore\Version
The worm contains a list of IRC servers, which it attempts to connect to on TCP port 6667:
* qis.md.us.dal.net
* ced.dal.net
* viking.dal.net
* vancouver.dal.net
* ozbytes.dal.net
* broadway.ny.us.dal.net
* coins.dal.net
* lulea.se.eu.undernet.org
* diemen.nl.eu.undernet.org
* london.uk.eu.undernet.org
* washington.dc.us.undernet.org
* los-angeles.ca.us.undernet.org
* brussels.be.eu.undernet.org
* caen.fr.eu.undernet.org
* flanders.be.eu.undernet.org
* graz.at.eu.undernet.org
Top of Page
Method Of Infection
Like other Mydoom variants, this virus harvests email addresses from the local system and spams those addresses with email messages. Unlike earlier variants, the infectious messages do not contain an attachment, but rather a hyperlink directing people to an infected machine. Following the hyperlink results in an infection occurring on the target victim's system, if they are running a vulnerable Microsoft Internet Explorer web browser.
This W32/Mydoom@MM variant makes use of a zero day attack targeting a Microsoft Internet Explorer IFRAME buffer overflow vulnerability . It is very similar to W32/Mydoom.ag@MM .
The virus spreads by sending email messages to addresses found on the local system. The message appears as follows:
From: Spoofed address
Subject: (case may vary)
* hi!
* hey!
* Confirmation
* blank
Body:
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.
To see details please click this link .
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
or
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
The mail header may contain one of the following fields:
* X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
* X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
* X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software
There is no attachment to the message. The homepage or link hyperlink points to the infected system which sent the email message. Clicking on the link, accesses a web server running on the compromised system. The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus
Infected systems will show Windows Explorer listening on TCP Port 1639, the port the web server runs on.
When a user follows a hyperlink sent by the virus, they are connected with the infected computer (http:// IP address:1639/index.htm). The webcam.htm page that is served results in a buffer overflow from occuring in Internet Explorer. Shell code then executes, which instructs the local machine to download a remote file (http:// IP address:1639/reactor) and save it to a local file %desktop%\vv.dat and then execute the downloaded file.
Top of Page
Symptoms
When run, the virus creates a file in the WINDOWS SYSTEM (%WinDir%\system32) directory with a random filename that ends in 32.exe. A registry run key is created to load the virus at system startup, such as:
*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run "Reactor3" = C:\WINDOWS\System32\heztiv32.exe
Other registry keys are also created:
* HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Explorer\ComExplore
* HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Explorer\ComExplore\Version
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Explorer\ComExplore
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Explorer\ComExplore\Version
The worm contains a list of IRC servers, which it attempts to connect to on TCP port 6667:
* qis.md.us.dal.net
* ced.dal.net
* viking.dal.net
* vancouver.dal.net
* ozbytes.dal.net
* broadway.ny.us.dal.net
* coins.dal.net
* lulea.se.eu.undernet.org
* diemen.nl.eu.undernet.org
* london.uk.eu.undernet.org
* washington.dc.us.undernet.org
* los-angeles.ca.us.undernet.org
* brussels.be.eu.undernet.org
* caen.fr.eu.undernet.org
* flanders.be.eu.undernet.org
* graz.at.eu.undernet.org
Top of Page
Method Of Infection
Like other Mydoom variants, this virus harvests email addresses from the local system and spams those addresses with email messages. Unlike earlier variants, the infectious messages do not contain an attachment, but rather a hyperlink directing people to an infected machine. Following the hyperlink results in an infection occurring on the target victim's system, if they are running a vulnerable Microsoft Internet Explorer web browser.