Weekly Report on Viruses and Intruders – Mydoom.BH and Crowt.B Worms and Downloader.BHV
Mydoom.BH is an email worm which can also spread through the KaZaA P2P file sharing program. Once it has entered a computer and is run, it downloads a page from a website with code, which is saved to the Windows system directory as an executable file called TEMP1.EXE. It also displays a screen referring to an antivirus in order to distract users’ attention. To spread via email it sends itself to all contacts in the Outlook address book, using its own SMTP engine. The name that appears as the sender of the email is false and the message includes an attachment with malicious code. In addition to using email, Mydoom.BH also creates a copy of itself in the shared KaZaA directory, which it obtains from the Windows registry. This copy has random file and extension names, selected from a list of names designed to attract KaZaA users. Other users of this program could remotely access this shared directory, and voluntarily download to their computer files created by Mydoom.BH, thinking that they were actually interesting programs, etc. They would in fact, be downloading copies of the worm to their computers. When they run the downloaded file, these other computers would become infected by Mydoom.BH. The second worm in this report, Crowt.B, has backdoor functionalities and sends itself by email using its own SMTP engine. It gets the addresses to which it sends itself from a list of contacts stored on the user’s computer. It allows remote commands to be executed on the compromised computer and information to be extracted from it. It also carries an additional danger, as it acts as a keylogger, recording keystrokes and stealing passwords entered. In order to conceal itself, Crowt.B, injects its code into other programs. Finally, we will look at the Downloader.BHV Trojan. This malicious code downloads and installs adware programs on the infected computer. Downloader.BHV needs the intervention of an attacker in order to propagate and cannot spread by itself automatically. Various propagation channels are used, including floppy disks, CDs, e-mail messages with attachments, Internet downloads, FTP file transfers, IRC channels, P2P file-sharing networks, etc. When it is run, it downloads from a range of websites 5 executable files disguised as GIF files, which it runs on the infected system. To prevent detection, it uses some very basic techniques (some text strings are composed while the code is running).