Weekly Report on Viruses and Intruders – Mydoom AO/AM and Gaobot DAC/CYK
Mydoom.AO appeared midweek and has the capacity to spread much more rapidly and widely than the majority of computer viruses. The reason for this is that it uses Google, Altavista, Yahoo and Lycos to search for email addresses to which to send itself. In order to trick users, it sends out emails that that pass themselves off as mail delivery error messages.
The email messages carrying Mydoom.AO include and attachment -which contains the worm’s code- with one of the following extensions: ZIP, COM, SCR, EXE, PIF, BAT or CMD. If the user runs the attached file, the worm will create several copies of itself on the affected computer under the name JAVA.EXE, and look for email address in the Windows address book, in temporary Internet files and in files with the certain extensions. Then it selects the domain names of the addresses it has collected and enters them as a search term in Google, Altavista, Yahoo and Lycos. Then Mydoom.AO sends itself out to all the addresses found. This worm also creates several entries in the Windows Registry in order to ensure that it is run whenever the affected computer is started up.
The second variant of Mydoom in today’s report is AM, which spreads in email messages with variable characteristics and through the peer-to-peer (P2P) file sharing programs KaZaA, Morpheus, eDonkey2000, iMesh and LimeWare.
In the computers it infects, Mydoom.AM ends the processes belonging to certain security tools, such as several antivirus programs and firewalls, leaving the affected computer vulnerable to the attack of other malware. This worm also modifies the HOSTS file, in order to prevent access to the websites of several antivirus companies and ends the processes belonging to other worms, such as Netsky, Bagle, Sobig and Blaster.
Gaobot.DAC and Gaobot.CYX are two worms that use several means of propagation, including the follow:
– They make copies of themselves in the shared network resources they manage to accesses.
– To spread across the Internet, they exploit security flaws, like the LSASS and RPC DCOM vulnerabilities, for which Microsoft has already released the patches that fix them.
The DAC and CYX variants of Gaobot have backdoor characteristics that allows hackers to gain remote control over the affected computer and carry out actions such as executing commands, downloading and running files, logging keystrokes, stealing different information from the computer, launching Distributed Denial of Service (DDoS) attacks, etc.
We are going to finish this week’s report with Bropia.J, a worm that spreads via MSN Messenger. When it is run, this malicious code tries to display an HTML page that contains a link to a certain web page in order to display an image. Bropia.J also prevents the user from accessing the Task Manager and the Windows Registry Editor (REGEDIT.EXE file).