Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Threat Advisory: McAfee AVERT Raises Risk Assessment to Medium on MYDOOM.BE@MM

  • 22 February, 2005 08:29

<p>McAfee AVERT Raises Risk Assessment to Medium on New Mydoom Variant</p>
<p>SYDNEY, February 22, 2005 — McAfee, Inc., the pioneer and worldwide leader of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, Inc., raised the risk assessment to Medium on the recently discovered W32/Mydoom.be@MM worm, also known as Mydoom.be. This variant contains an attachment in the email, which downloads the BackDoor-CEB.f Trojan. The variant also opens multiple TCP ports on the victim’s machine and harvests addresses from queries made to well known search engines. Since 12:00 AM Pacific Time today, McAfee AVERT has received reports of Mydoom.be being stopped or infecting users from the field. Most of these reports have arrived from Japan and Europe and the number of reports has doubled each hour.</p>
<p>Threat Overview</p>
<p>This new Mydoom variant is very similar to previous variants and bears the following characteristics:</p>
<p>Each is a mass-mailing worm that constructs messages using its own SMTP engine</p>
<p>Each spoofs the From: address in the sent email</p>
<p>Each downloads the BackDoor-CEB.f trojan from one of many Websites</p>
<p>The primary difference between Mydoom.be and other recent variants is the list of sites used to download the Backdoor-CEB.f trojan. Users should be cautious when opening any email and should most likely delete any email containing the following:</p>
<p>From: (spoofed From: header)</p>
<p>Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.</p>
<p>The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:</p>
<p>mailer-daemon@(target_domain)</p>
<p>noreply@(target_domain)</p>
<p>postmaster@(target_domain)</p>
<p>The following display names are used in this case:</p>
<p>"Postmaster"</p>
<p>"Mail Administrator"</p>
<p>"Automatic Email Delivery Software"</p>
<p>"Post Office"</p>
<p>"The Post Office"</p>
<p>"Bounced mail"</p>
<p>"Returned mail"</p>
<p>"MAILER-DAEMON"</p>
<p>"Mail Delivery Subsystem"</p>
<p>Subject: The following subjects are used:</p>
<p>hello</p>
<p>hi</p>
<p>error</p>
<p>status</p>
<p>test</p>
<p>report</p>
<p>delivery failed</p>
<p>Message could not be delivered</p>
<p>Mail System Error - Returned Mail</p>
<p>Delivery reports about your e-mail</p>
<p>Returned mail: see transcript for details</p>
<p>Returned mail: Data format error</p>
<p>Message Body: The virus constructs messages from pools of strings it carries in its body.</p>
<p>Threat Pathology</p>
<p>After being executed, Mydoom.be copies itself into the Windows System directory, the worm installs itself as JAVA.EXE in the Windows directory.</p>
<p>For example:</p>
<p>C:\WINDOWS\JAVA.EXE</p>
<p>It also drops the file SERVICES.EXE into this directory:</p>
<p>C:\WINDOWS\SERVICES.EXE</p>
<p>The following Registry keys are added to hook system startup:</p>
<p>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "JavaVM" = %WinDir%\JAVA.EXE</p>
<p>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "Services" = %WinDir%\SERVICES.EXE</p>
<p>The following Registry keys are also added:</p>
<p>HKEY_CURRENT_USER\Software\Microsoft\Daemon</p>
<p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon</p>
<p>Multiple TCP Ports are opened on the victim machine by the SERVICES.EXE process to listen for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.</p>
<p>More information on Mydoom.be and a cure for this worm can be found online at the McAfee AVERT site located at http://vil.nai.com/vil/content/v_131868.htm. McAfee AVERT is advising its customers to update to the 4431 DATs to stay protected from these variants of the threat.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organisations in the world, employing researchers in thirteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee IntruShield, McAfee Entercept and McAfee Foundstone Professional Services organisations. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About McAfee, Inc.</p>
<p>McAfee, Inc. (NYSE: MFE), headquartered in Santa Clara, Calif., creates best-of-breed intrusion prevention and risk management solutions. McAfee’s market-leading security products and services help large, medium and small businesses, government agencies, and consumers prevent intrusions on networks and protect computer systems from critical threats. Additionally, through the Foundstone Professional Services division, leading security consultants provide security expertise and best practices for organisations. For more information, McAfee, Inc. can be reached on the Internet at http://www.mcafee.com/.</p>
<p>- ends -</p>
<p>NOTE: McAfee, AVERT, IntruShield, Entercept and Foundstone are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. The colour Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. ©2005 McAfee, Inc. All Rights Reserved.</p>
<p>For further information please contact:</p>
<p>Natalie Connor</p>
<p>Tel: +61 (0)2 9956 5733</p>
<p>Mobile: +61 (0)417 259 054</p>
<p>E-mail: natalie.connor@text100.com.au</p>

Most Popular