Weekly Report on Viruses and Intruders – Beliu.A Trojan, Mydoom.BN and Mytob.P Worms

Beliu.A has been classified as a backdoor Trojan because it opens a backdoor in computers in order to allow an attacker to access it and carry out malicious actions. To be more specific, Beliu.A connects to the Internet server liubei.8866.org, through which the attacker can gain control of the affected computer and carry out different actions. These actions include downloading, moving and deleting files, running commands and ending processes. It uses port 8080 and HTTP to connect to this server. It could even work in networks protected by firewalls, as port 8080 is usually open to traffic.

Beliu.A normally reaches computers in an email with the subject “MOFCOM IPR Report-English Version!” and an attachment called “International IPR Conventions China Acceded to.doc”. This Word document exploits the MS01-028 vulnerability to download the files http://81.27.111.103/ek/normal2.dot and http://81.27.111.103/ek/liu8080.exe, the second of which is this backdoor Trojan.

The first worm in today’s report is a new variant of MyDoom, Mydoom.BN. This worm spreads via email using its own SMTP engine and it looks for email addresses to send itself to in the Windows address book and files with different extensions, including htm, xml, wml, asp or wab. To avoid raising suspicion, it does not send itself out to the addresses or domains that appear in an internal list.

The message carrying the code can have different subjects, which include subjects that try to trick the user in thinking that it is a mail delivery error, such as “Mail Delivery System”, “Mail Transaction Failed” or “Server Report”.

The message body also refers to errors, like “Mail transaction failed. Partial message is available” or “The message contains Unicode characters and has been sent as a binary attachment”. The attachment contains the virus and can have one of several different names (“document”, “readme”, “doc”, “message”, etc.) with a Windows executable file extension (pif, scr, exe, cmd or bat).

The last malicious code in today’s report is Mytob.P, a worm with backdoor characteristics. This worm spreads by looking in the network for shared resources whose users have used passwords that are easy to guess. It can also spread via email in a message with a spoofed sender’s address and an attached file. It obtains the email addresses it sends itself to from files on the computer with different extension, such as.htm, .php, .wab, etc.

However, it does not send itself out to certain addresses to avoid being detected rapidly by certain users or companies. For example, it avoids sending itself to addresses that contain the words “abuse”, “admin”, “gnu”, “ibm.com”, or “panda”.

The message subject can be a set text (“Error”, “Mail Delivery System”, “Mail Transaction Failed”, “Server Report”, etc), a random string or could be blank. The message body also refers to an error message and the name of the attachment is taken from a list and has a Windows executable file extension.