Mydoom.B is functionally quite similar to its predecessor, using many of the same tricks. For example, it spoofs the Sender name, thus causing innocent folks to get blamed for sending the virus. Worse, it causes antivirus software to chase its own tail, as it sends erroneous alerts to users who never sent the virus and aren't infected by it. Some of these alerts carry the original bounced - and infected - message. Those users who receive one of these antivirus alerts and open the attachment to investigate will find themselves infected. This action also has the unpleasant side affect of creating something of a Denial of Service (DoS) attack in email.
That isn't the only DoS attack the Mydoom.B worm has planned. Mydoom.B is also programmed to attack both the SCO and Microsoft websites. Every infected user thus becomes a weapon against these vendors. In the case of the original Mydoom worm, that attack was launched every second from every infected computer worldwide.
The Mydoom.B email arrives with one of the following Subjects:
- Returned mail
Delivery Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
The body of the email varies, and may be any of the following:
- sendmail daemon reported:
Error #804 occured during SMTP session. Partial message has been received.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
The message contains MIME-encoded graphics and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The name of the attachment will be one of the following:
- doc
document
message
readme
text
hello
body
test
data
file
The filename extension will be either BAT, EXE, CMD, PIF, or SCR or it may be a ZIP archive. Mydoom.b can also use a double extension ruse, to trick people who do not have file extension viewing properly enabled. The File Extension Center provides a walkthrough for enabling extension viewing.
The worm drops or creates the following files in the Windows\System folder:
- explorer.exe
ctfmon.dll
Note that there is a valid EXPLORER.EXE file found on the system, but it is located in C:\Windows folder instead of the C:\Windows\System folder.
The worm copy of explorer.exe is loaded on startup via the System Registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Explorer" = C:\Windows\System\explorer.exe
(where C:\Windows signifies the users' Windows System folder)
The newly created DLL, ctfmon.dll, is registered as a child process of the valid EXPLORER.EXE.
The following addresses are appended to the Local Hosts file, preventing those sites from being accessed by infected users:
- ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com
Also see: Worm spells MyDoom for SCO - Dubbed Mydoom, Mimail.R, Novarg, or Shimg depending on the antivirus vendor, the original Mydoom worm was discovered on January 26th, 2004 and quickly became one of the most prolific viruses in history.
