to pummel the expired equine.... *this* is why I strip a bunch of
attachments, regardless of who the computer works for.
-------- Original Message --------
VIRUS ALERT - Mydoom.BB
17/02/2005
A new worm Mydoom.BB, which is a variant of Mydoom, is beginning to spread
this morning. This alert will be updated on the web site :
https://www.lexsi.com/abonnes/warn.php?id=111
Worm Names
************
[EMAIL PROTECTED] [Symantec], WORM_MYDOOM.BB [TrendMicro], W32/[EMAIL PROTECTED]
[Mc Afee], W32/[EMAIL PROTECTED] [Norman], MyDoom.BB [F-Secure]
Priority
********
Medium
Impacts
*******
This new worm spreads itself via email.
Analysis
********
Mydoom.BB spreads itself by sending an email with following characteristics
:
- source address of the message :
The source address of the message is chosen randomly. It may not correspond
to the real sender's address.
- attachement :
"ATTACHMENT"
"DOCUMENT"
"FILE"
"INSTRUCTION"
"LETTER"
"MAIL"
"MESSAGE"
"README"
"TEXT"
"TRANSCRIPT"
With following extensions :
.bat
.cmd
.com
.exe
.pif
.scr
.zip
-Subjects :
"The original message was included as attachment"
"The/Your m/Message could not be delivered"
"hello"
"hi error"
"status"
"test"
"report"
"delivery failed"
"Message could not be delivered"
"Mail System Error - Returned Mail"
"Delivery reports about your e-mail"
"Returned mail: see transcript for details"
"Returned mail: Data format error"
When the virus is launched, it creates following files:
- %Windir%\java.exe
- %Windir%\services.exe (backdoor)
And adds following registry keys in order to be launched at each system
startup :
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
"JavaVM" = "%Winir%\java.exe "
"Services" = "%Windir%\services.exe"
The worm gathers email addresses in the following files :
- .pl*
- .ph*
- .tx*
- .ht*
- .asp
- .sht
- .adb
- .dbx
- .wab
Vulnerable Products
*****************
Windows 95
Windows 98
Windows Me
Windows NT
Windows 2000
Windows 2003
Windows XP
Solution
*********
New signatures files for antivirus products are available or will be
available soon. It is necessary to urgently update the antivirus.
In order to prevent an infection, do not execute the attachment of the
email (the virus does not exploit a security vulnerability to execute the
attachment automatically).
While waiting for virus definitions, it is possible to create a filter rule
on the attachments with extensions .exe, .bat, .cmd, .com, .pif, .scr and
.zip.
To identify infected machines locally, it is possible to verify the
existence of the following registry key :
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
"JavaVM" = "%Winir%\java.exe "
"Services" = "%Windir%\services.exe"
CSI team.
--
Dan Monjar
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
