Worm.Win32.MYDOOM.AG

ワームは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

ワームは、Windows のアドレス帳（WABファイル）から特定のＥメールアドレスを収集します。

侵入方法

ワームは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

ワームは、感染したコンピュータ内に以下のように自身のコピーを作成します。

• %Windows%\java.exe

(註：%Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.)

ワームは、以下のファイルを作成します。

• %Windows%\services.exe → detected as BKDR_MYDOOM.MUS
• %User Temp%\zincite.log
• %User Temp%\{Random}.log → either a zip file used as email attachment, or copy of itself.

(註：%Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.. %User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。)

自動実行方法

ワームは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run → autostart mechanism for the main executable
JavaVM = %Windows%\java.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run → autostart mechanism for dropped component file
Services = %Windows%\services.exe

他のシステム変更

ワームは、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Daemon

HKEY_CURRENT_USER\Software\Microsoft\
Daemon

感染活動

ワームは、以下の拡張子を持つファイルからＥメールアドレスを収集します。

• .pl
• .asp
• .sht
• .adb
• .dbx
• .wab
• .ph
• .tx
• .ht

ワームは、WABから特定のＥメールアドレスを収集します。

情報漏えい

ワームは、以下の情報を収集します。

• Host Name

その他

ワームは、以下を実行します。

• The email message it sends out may have the following characteristics:
  • From:
  • postmaster@{target domain}
  • MAILER-DAEMON@{target domain}
  • noreply@{target domain}
  • It uses the following display names:
  • Postmaster
  • Mail Administrator
  • Automatic Email Delivery Software
  • Post Office
  • The Post Office
  • Bounced mail
  • Returned mail
  • MAILER-DAEMON
  • Mail Delivery Subsystem
  • Subject:
  • hello
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error
  • Body:

  Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
  {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
  {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
  {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
  {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
  {$T {user |technical |}support team.|The $T {support |}team.}
  
  {The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
  Your message {was not|could not be} delivered because the destination {computer|server} was
  {not |un}reachable within the allowed queue period. The amount of time
  a message is queued before it is returned depends on local configura-
  tion parameters.
  Most likely there is a network problem that prevented delivery, but
  it is also possible that the computer is turned off, or does not
  have a mail system running right now.
  
  Your message {was not|could not be} delivered within $D days:
  {{{Mail s|S}erver}|Host} $i is not responding.
  The following recipients {did|could} not receive this message:
  <$t>
  Please reply to postmaster@{$F|$T}
  if you feel this message to be in error.
  The original message was received at $w{
  | }from {$F [$i]|{$i|[$i]}}
  ----- The following addresses had permanent fatal errors -----
  {<$t>|$t}
  {----- Transcript of {the ||}session follows -----
  ... while talking to {host |{mail |}server ||||}{$T.|$i}:
  {>>> MAIL F{rom|ROM}:$f
  <<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>... {Mail quota exceeded|Message is too large}
  554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|}
  Session aborted{, reason: lost connection|}|>>> RCPT To:<$t>
  <<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA
  {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
  |}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed
  |}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
  |}<<< 400}|}
  The original message was included as attachment
  
  {{The|Your} m|M}essage could not be delivered

• It attaches a copy of itself in a .ZIP file. It may use the target email address name as the filename of the attachment, or any of the following:
  • readme
  • instruction
  • transcript
  • mail
  • letter
  • file
  • text
  • attachment
  • document
  • message
• The copy of itself in the attachment may have the following extension:
  • .cmd
  • .bat
  • .com
  • .exe
  • .pif
  • .scr
• The copy of itself in the attachment may have the following fake extension:
  • .doc
  • .txt
  • .htm
  • .html
• It connects to the following URL/search engines to harvest email addresses from the results of the queries:
  • http://{BLOCKED}h.lycos.com/default.asp?{BLOCKED}loc=searchhp&tab=web&query=%s
  • http://www.{BLOCKED}sta.com/web/results?q={BLOCKED}0&kls=0
  • http://{BLOCKED}h.yahoo.com/search?p=%s&ei=UTF-8&fr=fp{BLOCKED}b-t&cop=mss&tab=
  • http://www.{BLOCKED}e.com/search?{BLOCKED}e=UTF-8&oe=UTF-8&q=%s

<補足>
インストール

ワームは、以下のファイルを作成します。

• %Windows%\services.exe → 「BKDR_MYDOOM.MUS」として検出される
• %User Temp%\zincite.log
• %User Temp%\{ランダム}.log → Eメールの添付ファイルとして使用されるZIPファイル、または自身のコピー

感染活動

ワームは、以下の文字列を含むEメールアドレスへのメッセージの送信はしません。

• mailer-d
• spam
• abuse
• master
• sample
• accoun
• privacycertific
• bugs
• listserv
• submit
• ntivi
• support
• admin
• page
• the.bat
• gold-certs
• feste
• not
• help
• foo
• soft
• site
• rating
• you
• your
• someone
• anyone
• nothing
• nobody
• noone
• info
• winrar
• winzip
• rarsoft
• sf.net
• sourceforge
• ripe.
• arin.
• google
• gnu.
• gmail
• seclist
• secur
• bar.
• foo.com
• trend
• update
• uslis
• domain
• example
• sophos
• yahoo
• spersk
• panda
• hotmail
• msn.
• msdn.
• microsoft
• sarc.
• syma
• avp

情報漏えい

ワームは、以下の情報を収集します。

• ホスト名

その他

ワームは、以下を実行します。

• 送信されるEメールメッセージには、以下のような特徴があります。
  • 送信元：
    • postmaster@{送信対象ドメイン}
    • MAILER-DAEMON@{送信対象ドメイン}
    • noreply@{送信対象ドメイン}
  • 以下の表示名を使用します。
    • Postmaster
    • Mail Administrator
    • Automatic Email Delivery Software
    • Post Office
    • The Post Office
    • Bounced mail
    • Returned mail
    • MAILER-DAEMON
    • Mail Delivery Subsystem
  • 主題：
    • hello
    • error
    • status
    • test
    • report
    • delivery failed
    • Message could not be delivered
    • Mail System Error - Returned Mail
    • Delivery reports about your e-mail
    • Returned mail: see transcript for details
    • Returned mail: Data format error
  • 本文：

    Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
    {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
    {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
    {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
    {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
    {$T {user |technical |}support team.|The $T {support |}team.}
    
    {The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
    Your message {was not|could not be} delivered because the destination {computer|server} was
    {not |un}reachable within the allowed queue period. The amount of time
    a message is queued before it is returned depends on local configura-
    tion parameters.
    Most likely there is a network problem that prevented delivery, but
    it is also possible that the computer is turned off, or does not
    have a mail system running right now.
    
    Your message {was not|could not be} delivered within $D days:
    {{{Mail s|S}erver}|Host} $i is not responding.
    The following recipients {did|could} not receive this message:
    <$t>
    Please reply to postmaster@{$F|$T}
    if you feel this message to be in error.
    The original message was received at $w{
    | }from {$F [$i]|{$i|[$i]}}
    ----- The following addresses had permanent fatal errors -----
    {<$t>|$t}
    {----- Transcript of {the ||}session follows -----
    ... while talking to {host |{mail |}server ||||}{$T.|$i}:
    {>>> MAIL F{rom|ROM}:$f
    <<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>... {Mail quota exceeded|Message is too large}
    554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|}
    Session aborted{, reason: lost connection|}|>>> RCPT To:<$t>
    <<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA
    {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
    |}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed
    |}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
    |}<<< 400}|}
    The original message was included as attachment
    
    {{The|Your} m|M}essage could not be delivered

  • 自身のコピーをZIPファイル内に添付します。添付ファイルの名前として、送信対象のEメールアドレス名、または以下のいずれかが使用される可能性があります。
    • readme
    • instruction
    • transcript
    • mail
    • letter
    • file
    • text
    • attachment
    • document
    • message
  • 添付ファイル内の自身のコピーには、以下の拡張子が付与されている可能性があります。
    • .cmd
    • .bat
    • .com
    • .exe
    • .pif
    • .scr
  • 添付ファイル内の自身のコピーには、以下に偽装された拡張子が付与されている可能性があります。
    • .doc
    • .txt
    • .htm
    • .html
  • 以下のURL/検索エンジンに接続し、クエリの結果からEメールアドレスを収集します。
    • http://{BLOCKED}h.lycos.com/default.asp?{BLOCKED}loc=searchhp&tab=web&query=%s
    • http://www.{BLOCKED}sta.com/web/results?q={BLOCKED}0&kls=0
    • http://{BLOCKED}h.yahoo.com/search?p=%s&ei=UTF-8&fr=fp{BLOCKED}b-t&cop=mss&tab=
    • http://www.{BLOCKED}e.com/search?{BLOCKED}e=UTF-8&oe=UTF-8&q=%s