Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New MyDoom In The Wild - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New MyDoom In The Wild
An apology



It was my intention to post Part II of my "Follow the Bouncing Malware" article today. Instead, the other Handlers and I ended up following the bouncing MyDoom. A quick note of thanks to all of the other Handlers, the AV Vendors, and many others for pitching in and keeping this one from getting out of control. (TL)



New MyDoom On The Loose



Initial analysis (we will update as we know more):



Currently (16:00GMT), signatures are not yet available.

UPDATED (17:00GMT):

- Signatures are starting to come out, identifying this as MyDoom.O, MyDoom.P or Evaman.C

- It appears that this may only work on Win2K and WinXP machines because the executable requires psapi.dll.

- Copies itself to the Windows' system directory as winlibs.exe and installs itself under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



UPDATED (17:30GMT) - *BETA* Snort Sigs:

UPDATED (17:40GMT) - *BETA #2* Snort Sigs:

UPDATED (19:30GMT) - *BETA #3* Snort Sigs:



var YAHOO [216.109.127.126/32]

#var YAHOO any

pass tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address search";\

	sid:900018; rev:4; flow:established,to_server; flags:A+;\

	flowbits:set,search_uri; content: "/py/psSearch.py|3f|";)

alert tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address search";\

	sid:900018; rev:4; flow:established,to_server; flags:A+;\

	flowbits:isset,search_uri; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM";)




Targets Yahoo's people search:



http://email.people.yahoo.com:80/py/psSearch.py?



NEW (1700GMT)- Example packet capture:



12:23:22.922862 10.1.0.129.1035 > 216.109.127.126.80: P 5:310(305) ack 1 win 175 20 (DF)

0x0000   4500 0159 0077 4000 8006 96ba 0a01 0081        E..Y.w@.........

0x0010   d86d 7f7e 040b 0050 2217 187c 6b8a 5eb1        .m.~...P"..|k.^.

0x0020   5018 4470 46c9 0000 2f70 792f 7073 5365        P.DpF.../py/psSe

0x0030   6172 6368 2e70 793f 4669 7273 744e 616d        arch.py?FirstNam

0x0040   653d 4a61 6d69 6526 696e 6465 783d 2048        e=Jamie&index=.H

0x0050   5454 502f 312e 300d 0a41 6363 6570 743a        TTP/1.0..Accept:

0x0060   2069 6d61 6765 2f67 6966 2c20 696d 6167        .image/gif,.imag

0x0070   652f 782d 7862 6974 6d61 702c 2069 6d61        e/x-xbitmap,.ima

0x0080   6765 2f6a 7065 672c 2069 6d61 6765 2f70        ge/jpeg,.image/p

0x0090   6a70 6567 2c20 6170 706c 6963 6174 696f        jpeg,.applicatio

0x00a0   6e2f 766e 642e 6d73 2d65 7863 656c 2c20        n/vnd.ms-excel,.

0x00b0   6170 706c 6963 6174 696f 6e2f 6d73 776f        application/mswo

0x00c0   7264 2c20 6170 706c 6963 6174 696f 6e2f        rd,.application/

0x00d0   766e 642e 6d73 2d70 6f77 6572 706f 696e        vnd.ms-powerpoin

0x00e0   742c 202a 2f2a 0d0a 4163 6365 7074 2d4c        t,.*/*..Accept-L

0x00f0   616e 6775 6167 653a 2065 6e2d 7573 0d0a        anguage:.en-us..

0x0100   4163 6365 7074 2d45 6e63 6f64 696e 673a        Accept-Encoding:

0x0110   2067 7a69 702c 2064 6566 6c61 7465 0d0a        .gzip,.deflate..

0x0120   5573 6572 2d41 6765 6e74 3a20 4d6f 7a69        User-Agent:.Mozi

0x0130   6c6c 612f 342e 300d 0a48 6f73 743a 2045        lla/4.0..Host:.E

0x0140   4d41 494c 2e50 454f 504c 452e 5941 484f        MAIL.PEOPLE.YAHO

0x0150   4f2e 434f 4d0d 0a0d 0a                         O.COM....




Message subjects(?):



SN: New secure mail

SN: New secure mail

Secure delivery

Secure delivery

failed transaction

failed transaction

Re: hello (Secure-Mail)

Re: hello (Secure-Mail)

Re: Extended Mail

Re: Extended Mail

Delivery Status (Secure)

Delivery Status (Secure)

Re: Server Reply

Re: Server Reply

SN: Server Status

SN: Server Status




Message body contains(?):



Automatically Secure Delivery: for

Automatically Secure Delivery: for

Mail Delivery Server System: for

Mail Delivery Server System: for

Extended secure mail message available at:

Extended secure mail message available at:

Secure Mail Server Notification: for

Secure Mail Server Notification: for

New mail secure method implement: for

New mail secure method implement: for

New policy requested by mail server to returned mail

as a secure compiled attachment (Zip).

New policy requested by mail server to returned mail

as a secure compiled attachment (Zip).

Now a new message is available as secure Zip file format.

Due to new policies on clients.

Now a new message is available as secure Zip file format.

Due to new policies on clients.

This message is available as a secure Zip file format

due to a new security policy.

This message is available as a secure Zip file format

due to a new security policy.

For security measures this message has been packed as Zip format.

This is a newly added security feature.

For security measures this message has been packed as Zip format.

This is a newly added security feature.

New policy recommends to enclose all messages as Zip format.

Your message is available in this server notice.

New policy recommends to enclose all messages as Zip format.

Your message is available in this server notice.

You have received a message that implements secure delivery technology.

Message available as a secure Zip file.

You have received a message that implements secure delivery technology.

Message available as a secure Zip file.

This message is an automatically server notice

from Administration at

This message is an automatically server notice

from Administration at

Server Notice: New security feature added. MSG:ID: 455sec86

Server Notice: New security feature added. MSG:ID: 455sec86

New feature added for security reasons

New feature added for security reasons

Automatically server notice:,

Server reply from

Automatically server notice:,

Server reply from

New service policy for security added from

New service policy for security added from




The executable contains the following names that are used to search Yahoo:

Johnson,
Williams,
Wilson,
Taylor,
Anderson,
Thomas,
Jackson,
Parker,
Hernandez,
Gonzalez,
Roberts,
Patricia,
Margaret,
Elizabeth,
Anthony,
Daniel,
Patrick,
Douglas,
Carlos,
Sanchez,
Howard,
Washington,
Walter,
Robinson,
Miguel,
Jennifer,
Alberto,
Mathew,
Taylor,
Walker,
Mitchell,
Carter,
Nelson,
Brooks,
Jenkins,
Coleman,
Flores,
Griffin,
Morris,
Rogers,
Barbara,
Angela,
Amanda,
Pamela,
Martha,
Frances,
Cynthia,
Stephanie,
Nicole,
Andrea,
Rebeca,
Steven,
Anthony,
George,
Michael,
Isabel,
Marcos,
Camilo,
Salomon,
Esteban,
Francis,
Nicholas,
Samuel,
Angela,
Catherine,
Susanna,
Dorothy,
Elizabeth,
Andrew,
Philip,
Hester,
Edward,
Martin,
Gabriel,
Christopher,
Lawrence,
Christian,
Christ,
Dorcas,
Rowland,
Cecily,
Margery,
Turner,
Torres,
Brooks,
Harrison,
Gibson,
Pierce,
Arnold,
Watkins,
Medina,
Mendoza,
Santiago,
Christina,
Norris,
Santos,
Burgess,
Valdez,
Barber,
Patton,
Ortega,
Estrada,
Waters,
Ashlee,
Parson,
Sparks,
Morton,
Allison,
Monique,
Summers,
Cortez,
Barton,
Deleon,
Harrell,
Navarro,
Woodard,
Meyers,
Petersen,
Vannessa,
Douglas,
Joanna,
Judith,
Bridget,
Jessica,
Jeffrey,
Timothy,
Shirley,
Kimberly,
Sandra,
Melissa,
Virginia,
Dennis,
Junior,
Heather,
Collins,
Garcia,
Miller,
Barton,
Bridget,
Gillian,
Ursula,
Hannah,
Cooper,
Watson,
Bennett,
Sanders,
Ramirez,
Bailey,
Murphy,
Campbell,
Barnes,
Alexis,
Samantha,
Madison,
Joshua,
Charles,
Clinton,
Lincoln,
Houston,
Claudia,
Britney,
Carson,
Spider,
Laster,
Jolley,
Galvin,
Alecia,
Karrie,
Ivette,
Freeman,
Hunter,
Simpson,
Hamilton,
Knight,
Mcdonald,
Elliott,
Bradley,
Duncan,
Weaver,
Fields,
Chapman,
Kelley,
Wagner,
Jacobs,
Stanley,
Fuller,
Newman,
Lambert,
Cummings,
Leonard,
Barker,
Norris.



-------------------------------------------------------

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )
 Tom

160 Posts
Aug 4th 2004
Thread locked Subscribe Aug 4th 2004
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!