Weekly Viruses and Intrusions Report: MyDoom, Mimail.T, Sdbot.MH, Gaobot.DQ, X-Scan.A and Y2k

In this week’s report we are going to look at Mydoom.A, that appeared on January 27 and has continued spreading widely. Then we will turn to five totally different type of malware: Mimail.T, Sdbot.MH, Gaobot.DQ, X-Scan.A and Y2k.

Although the number of infections caused by Mydoom.A stabilized at the beginning of this week, it still infected a high percentage of computers. This worm has caused almost five times more infections than Downloader.L, the second virus most frequently detected by Panda ActiveScan.

Mydoom.A is the fastest spreading malicious code in computing history and has caused the biggest virus epidemic ever. As you know, it spreads via e-mail in a message with variable characteristics and through the P2P (peer-to-peer) file sharing program KaZaA. If the date on the affected computer is between February 1 and 12, 2004, it launches Distributed Denial of Service (DDoS) attacks against the website www.sco.com. From February 12, 2004, Mydoom.A stops its actions, preventing them from being run when it activates.

The T variant of the Mimail is sent in an e-mail message with variable characteristics and a compressed -password-protected- file, which contains the worm’s code. Every so often, it checks in an Internet connection is open and tries to access to the website www.google.com. Furthermore, in order to prevent its process from appearing in the list in the Task Manager, Mimail.T registers itself as a Windows service.

Today’s third malicious code is Sdbot.MH. This backdoor goes memory resident when it is run and connects to a server in order to access a specific IRC channel and receive command controls such as, download and run files, scan ports, etc.

Gaobot.DQ is a worm that affects computers running Windows 2003/XP/2000/NT. It spreads by making copies of itself in the shared network resources it manages to access, and by exploiting the RPC Locator, RPC DCOM and WebDAV vulnerabilities. A clear indication that Gaobot.DQ has reached a computer is a significant increase in the volume of network traffic through the TCP ports 135 and 445, as the worm attempts to exploit these vulnerabilities.

When it is run, Gaobot.DQ connects to a specific IRC server and waits for control commands. It also ends the processes belonging to antivirus programs, firewalls, system monitoring tools and other malicious code like Nachi.A and Sobig.F.

X-Scan.A is a hacking tool that scans computers and networks for vulnerabilities. If it finds a vulnerability, it logs all the keystrokes entered during the session. It obtains information from the affected computer, such as the type and version of the operating system, the status of standard ports, information on the Windows Registry, SNMP and NETBIOS protocols, CGI/IIS/RPC vulnerabilities, SQL/FTP/SMTP/POP3 servers, etc.

We are going to finish this week’s report with Y2K, a joke that displays a message on screen pretending to carry out a test in order to check if the affected computer is Y2K compliant. During this fake test, it opens and closes the CD-ROM tray, it makes the screen flicker, changes the mouse pointer, etc. Once the so-called test is finished, Y2k informs that it has found a flaw in the PC-Speaker and, unless this problem is solved, the user will not be able to start the computer during the year 2000. Finally, the program announces that it was only a joke.