W32/Mydoom.F@mm
Analysis
Specifics
Virus is 32 bit with a packed file size of 34,568 bytes
and is a minor variant to W32/Mydoom.A - the major difference
are
- the file names created are random
- the DoS payload routine, the virus performs a DoS
against the websites 'www.microsoft.com' and 'www.riaa.com'
- and this virus variant deletes files that have these
extensions -
avi, bmp, doc, jpg, mdb, sav and xls
Infection vectors
The virus is introduced to the system from one of two
possible insertion points; as either an email attachment
from an infected user, or from another computer that
is able to connect to the target using TCP/IP
Loading into memory
When the virus is run, it will create a Mutex in memory
with a partially random string as in "jmydoatundefinedrandomundefinedmtx",
and copy itself to the System folder as a random EXE
file name - the virus will then modify the registry
to auto run at next Windows startup using a random key
name creation with a reference to the actual file written
as in this example -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"heaiho" = C:\WINNT\System32\qgvjpqmdnzd.exe
Backdoor component
The virus creates an accomplice DLL file with a size
of 10,424 bytes also into the System folder with a random
file name such as "jwqrjuo.dll" - the .DLL
file opens TCP port 1080 and loads as a server component
- it contains instructions which could download and
run files from the Internet if a specific byte sequence
is received
Payloads
This virus has two payloads; one is a file deletion
routine, and another payload is a denial-of-service
attack against two websites
The virus may delete files matching these extensions
-
avi - audio/video file
bmp - bitmap picture
doc - document file
jpg - picture file
mdb - Microsoft DataBase
sav - Registry hive data file
xls - Microsoft Excel spreadsheet
The virus may issue a denial-of-service attack against
the web addresses 'www.microsoft.com' and 'www.riaa.com'
using a simple GET request - the DoS attack will be
persistent and occur once every 1024 milliseconds
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |