TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_MYDOOM.EA
Overview
Solution
Technical Details

File type: EXE

Memory resident:  Yes

Size of malware: Varies

Initial samples received on: Jul 7, 2009

Related toTROJ_JPEGDRPR.B, WORM_MYDOOM.EB

Payload 1: Downloads files

Payload 2: Compromises system security

Payload 3: Modifies files

Payload 4: Terminates processes

Payload 5: Deletes files

Payload 6: Launches DoS attacks

Details:

Arrival, Installation, and Autostart Technique

This worm arrives as attachment to mass-mailed email messages. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web site(s).

It drops the following file(s)/component(s):

  • %System%\pxdrv.nls
  • %System%\uregvs.nls
  • %User Temp%\_S{random}.tmp

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.) %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.

It starts the following service(s):

  • mstimer
  • WMI Performance Configuration
  • WmiConfig

This worm registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry key(s)/entry(ies):

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\WmiConfig
Description = "Configures and manages performance library information from WMMI HiPerf providers."
DisplayName = "WMI Performance Configuration"
ErrorControl = "1"
ImagePath = "%System Root%\system32\svchost.exe -k wmiconf"
ObjectName = "LocalSystem"
Start = "2"
Type = "120"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\WmiConfig\Parameters
ServiceDll = "%System%\wmiconf.dll"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\WmiConfig\Security
Security = "{binary values}"

Other System Modifications

This worm creates the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Svchost\
wmiconf = "WmiConfig"

It also creates the following registry key(s)/entry(ies) to disable Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

It deletes the following network analysis tool related files:

  • %System%\drivers\npf.sys
  • %System%\maus.dl_
  • %System%\maus.dll
  • %System%\netlmgr.dll
  • %System%\npptools.dll
  • %System%\ntmpsvc.dll
  • %System%\packet.dll
  • %System%\perfb093.dat
  • %System%\regscm.dll
  • %System%\ssdpupd.dll
  • %System%\sysvmd.dll
  • %System%\Wanpacket.dll
  • %System%\wpcap.dll

Propagation via Email

This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to send email messages with a copy of itself as attachment.

It initially gathers email addresses and domain names from all files located in the Temporary Internet files folder.

This worm avoids sending email messages to addresses containing the following string(s):

  • -._!@
  • acketst
  • arin.
  • be_loyal:
  • berkeley
  • borlan
  • example
  • google
  • ibm.com
  • icrosof
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • mit.e
  • mozilla
  • mydomai
  • nodomai
  • panda
  • rfc-ed
  • ripe.
  • ruslis
  • secur
  • sendmail
  • sopho
  • tanford.e
  • usenet
  • utgers.ed

This worm also constructs additional email addresses by prepending any of the following strings to the obtained domain names:

  • andrew
  • brenda
  • brent
  • brian
  • claudia
  • david
  • debby
  • frank
  • george
  • helen
  • james
  • jerry
  • jimmy
  • julie
  • kevin
  • linda
  • maria
  • michael
  • peter
  • robert
  • sales
  • sandra
  • smith
  • steve

To obtain email server addresses, it prepends any of the following strings to obtained domain names:

  • gate.
  • mail.
  • mail1.
  • mx.
  • mx1.
  • mxs.
  • ns.
  • relay.
  • smtp.

It assumes the resulting strings (e.g. mx.domain_name.com, mail.domain_name.com) are email servers on the domains and connects to SMTP services on these servers. It uses email applications that support SMTP for propagation, such as Microsoft Outlook, Outlook Express, etc.

If it cannot connect to SMTP services on the resulting server addresses, it uses the local mail server.

Dropping Routine

This worm drops the following component file(s):

  • %System%\wmcfg.exe - also detected by Trend Micro as WORM_MYDOOM.EA
  • %System%\wmiconf.dll - also detected as WORM_MYDOOM.EA
  • %System%\mstimer.dll - also detected as WORM_MYDOOM.EA
  • %System%\perfvwr.dll - also detected as WORM_MYDOOM.EA

Denial of Service (DoS) Attack

This worm performs a denial of service (DoS) attack to the following websites via HTTP protocol session with GET:

  • banking.nonghyup.com
  • blog.naver.com
  • e zbank.shinhan.com
  • ebank.keb.co.kr
  • evisaforms.state.gov
  • ezbank.shinhan.com
  • faa.gov
  • finance.yahoo.com
  • mail.naver.com
  • travel.state.gov
  • whitehouse.gov
  • www.amazon.com
  • www.assembly.go.kr
  • www.auction.co.kr
  • www.chosun.com
  • www.defenselink.mil
  • www.dhs.gov
  • www.dot.gov
  • www.faa.gov
  • www.ftc.gov
  • www.hannara.or.kr
  • www.marketwatch.com
  • www.mofat.go.kr
  • www.moneyfactory.gov
  • www.nasdaq.com
  • www.nsa.gov
  • www.nyse.com
  • www.president.go.kr
  • www.site-by-site.com
  • www.state.gov
  • www.usauctionslive.com
  • www.usbank.com
  • www.usfk.mil
  • www.usps.gov
  • www.ustreas.go
  • www.ustreas.gov
  • www.voanews.com
  • www.washingtonpost.com
  • www.whitehouse.gov
  • www.yahoo.com

Process Termination

This worm terminates the following service(s), if found on the system:

  • netlman
  • netlmgr
  • NtmpSvc
  • secsvcs
  • SSDPUPD
  • sysvmd

Backdoor Routine

This worm attempts to connect to the IP address {BLOCKED}.{BLOCKED}.83.203 using HTTP port 80 where it can receive commands to download component files. As of writing, it has exhibited downloading several files with the file name msiexec{random}.exe which is also detected as WORM_MYDOOM.EA.

The downloaded .EXE file drops the file %System%\uregvs.nls that contains the list of target sites for DOS attack.

Download Routine

This worm downloads a malware detected by Trend Micro as TROJ_JPEGDRPR.B. The said malware in turn drops an MBR infector malware detected as WORM_MYDOOM.EB. Thus, malicious routines of WORM_MYDOOM.EB are also exhibited on the affected system.

Other Details

This worm attempts to overwrite the following network-related files in an attempt to update the version of the said files so that it can use them to support its malicious routines:

  • %System%\drivers\npf.sys
  • %System%\npptools.dll
  • %System%\packet.dll
  • %System%\wanpacket.dll
  • %System%\wpcap.dll

It first creates encrypted files in current user's Temporary folder using the file name _S{random}.tmp.

It then checks if the abovementioned target files exist by gathering their file attributes. If the said files do not exist, it proceeds to decrypt the binary data and then writes the decrypted code to each of the target file and then deletes the temporary file.

On the other hand, if the said files exist, it attempts to delete each file first then proceeds to drop copies of the said files.

If it fails to delete each file, it will leave the temporary file _S{random}.tmp in the current user's Temporary folder.

It also creates the mutex _MUTEX_AHN_V3PRO_ to ensure that only a single instance of this worm is executed at any given time.

It then deletes itself after execution.

It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Roland Dela Paz


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.