Weekly Virus Report – Mydoom.A and Mydoom.B, the Q and S variants of Mimail, Gaobot.DK and Dumaru.Z Worms
This week’s report focuses on six worms – Mydoom.A and Mydoom.B, the Q and S variants of Mimail, Gaobot.DK and Dumaru.Z- and the Trojan Govnodav.A. From these viruses, we can highlight Mydoom.A, which has caused one of the biggest epidemics in computing history.
Mydoom.A and Mydoom B spread via e-mail in a message with variable characteristics and through the P2P file sharing program KaZaA. The actions carried out by these worms on the computers they infect include the following:
– They create a dynamic link library, which creates a backdoor on the computer, opening the first TCP port between 3127 and 3198 available.
– They launch Distributed Denial of Service (DDoS) attacks against the website www.sco.com by sending GET/ HTTP/ 1.1 requests.
– They open Windows Notepad (NOTEPAD.EXE), displaying junk text.
As well as sharing the characteristics described above, these variants differ in the following aspects.
– In order to ensure that two copies of Mydoom.A are not run at the same time, this worm generates a mutex called SwebSipcSmtxSO.
– Mydoom.B overwrites the Windows hosts file, which allows it to redirect certain Internet addresses. The addresses it redirects include those of several antivirus companies, preventing the products of these companies from downloading updates.
– Mydoom.B is designed to launch denial of service attacks against Microsoft servers
The next two worms we are going to look at in today’s report are the S and Q variants of Mimail, which spread via e-mail in a message with variable characteristics. The main characteristic of these worms is that they display a fake Microsoft form on screen in order to steal confidential user data (credit card number, PIN, etc.). Then, they send the data obtained to an e-mail address
Gaobot.DK, is a worm that affects computers running Windows 2003/XP/2000/NT. In order to spread to as many computers as possible, it exploits the RPC Locator, RPC DCOM and WebDAV vulnerabilities. This malicious code also spreads by copying itself to the shared resources in the networks it manages to access.
When it is run, Gaobot.DK connects to a specific IRC server and waits for control commands. It also ends processes belonging to antivirus programs, firewalls and system monitoring tools, leaving the affected computer vulnerable to the attack from other viruses or worms. It also ends the processes of Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster. Another characteristic of Gaobot.DK worth highlighting is that it allows an attacker to obtain information from the affected computer, run files, launch Distributed Denial of Service (DDoS) attacks, upload files via FTP, etc.
The last worm we will analyze today is Dumaru.Z, which spreads via e-mail in a message with the subject: “Important information for you. Read it immediately !”, and an attached file called MYPHOTO.ZIP. It sends itself out to the addresses it finds on the affected computer in an e-mail that includes the Exploit/Iframe code, which allows it to be automatically run when the message carrying the worm is viewed through the Preview Pane in Outlook.
When variant Z of Dumaru infects a computer, it steals information on e-gold accounts and opens ports 2283 and 10000. This malicious code also downloads the Spybot.FC worm, which attempts to connect to an IRC server in the domain egold-hosting.com, and disables several administrative tools, such as the Task manager and the Windows Registry editor.
We are going to end this report with Govnodav.A, which is a Trojan with Keylogger characteristics. This Trojan cannot send itself out; it has been spammed out. If the keystrokes logged contain certain texts, it saves them in a file which it sends out to the virus creator via e-mail.