Details
I-worm.Mydoom.ab

Mydoom.ab is another Mydoom.a variant. It spreads as an attachment in an infected email. The worm send copies of itself to all addresses in the local address book.
Mydoom.ab is a Windows PE EXE file and is about 32 KB - packed by UPX.
Installation
Upon installation Mydoom.ab creates a file named lsasrv.exe in the Windows system registry and creates the following registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“lsass” = “%System%\lsasrv.exe”
The worm also creates a file named version.ini in the Windows system folder.
Other
Mydoom.ab attempts to block the work of a number of firewalls.

Related Posts

This entry was posted on Wednesday, December 20th, 2006 at 10:00 pm and is filed under Virus Threats.

Details
I-Worm.Mydoom.aa

This worm is a modification of Mydoom.a. It spreads via the Internet as an attachment to infected emails and via the Kazaa file-sharing network.
The worm itself is a PE EXE file which is 51712 bytes in size, packed using UPX.
The worm is only activated if the user opens the archive and launches the infected file by doubling clicking on the attachment. The worm will then install itself on the system and commence its propagation routine.
The worm contains a backdoor component.
Installation
When installing, the worm copies itself under the name avpr.exe to the Windows system directory, and registers this file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
“Avpr”=”%System%\avpr.exe”
This ensures that the worm will be launched every time the machine is rebooted.
The worm creates a file named tcp5424.dll in the Windows system registry. This file is the backdoor component, and it is also registered in the system registry:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
“Default”=”%SysDir%\tcp5424.dll”
This ensures that the DLL will be launched as an Explorer.exe child process.
The worm creates several additional key values in the system registry to flag its presence in the system:
[HKLM\Software\Microsoft\Windows\Ddinfect]
[HKCU\Software\Microsoft\Windows\Ddinfect]
And also creates the unique identifier ‘My-Game’ in memory.
The worm substitutes its own file for the the standard ‘hosts’ file in the Windows directory. This means that users of infected machines will be unable to access the following domains:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.pandasoftware.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
The worm creates a file named msg15.txt in the Windows system directory which contains the following text:
Lucky’s Av’s ;P~. Sasser author gets IT security job and we will work with Mydoom , P2P worms and exploit codes .Also we will attack f-secure,symantec,trendmicro,mcafee , etc. The 11th of march is the skynet day lol . When the beagle and mydoom loose, we wanna stop our activity <== so Where is the Skynet now? lol.
This Will Drop W32.Scran P2P Worm
The worm also attempts to download a file named ’scran.jpg’ from a specific site and to save it in the C: root directory under the name ‘Scran.exe’. This file is Worm.P2P.Scranor.a, another network worm.
Mass mailing
The worm’s mass mailing function is almost identical to that of Mydoom.a.
The message body is composed of three parts, which are chosen at random from the three groups listed below.
Daily Report.
here is the document.
Important Information.
Reply
your document.

Details are in the attached document.
Kill the writer of this document!
Monthly news report.
Please answer quickly!.
Please confirm!.
Please read the attached file!.
Please see the attached file for details.
Please see the attached file for details Check the attached document.
See the attached file for details
Waiting for a Response. Please read the attachment.

+++ AntiVirus - www.f-secure.com Norton AntiVirus - www.symantec.com
+++ AntiVirus - www.kaspersky.com Panda AntiVirus -
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com Bitdefender AntiVirus -
+++ www.bitdefender.com MC-Afee AntiVirus - www.mcafee.com Kaspersky
+++ www.pandasoftware.com Norman AntiVirus - www.norman.com F-Secure
Backdoor
‘tcp5424.dll’, which is installed by the worm, is a backdoor. The worm opens TCP port 5424 to receive commands.
Payload
The worm searches the system registry for the ‘ICQ Net’ and ‘MsnMsgr’ values and deletes them.

Related Posts

This entry was posted on Wednesday, December 20th, 2006 at 8:00 pm and is filed under Virus Threats.