does anybodies AV pick this up?


Today we recieved an email from ourselves (message below)
and contained a message.zip folder
please note domain is replaced with word DOMAIN , so actually looks like it came from us - to us.

the message.zip contained a what looked like .bat file, however it was actually a .exe (ill upload it with admins permsision (GRANTED BY COMSEC 17:11)).

it appears its the new mydoom virus that has not been included in any virus definations for nay companies as of yet.

copy of email (which includes signiture that looks authentic)

:-


-----Original Message-----
From: Administrator
Sent: 26 July 2004 14:32
To: user@DOMAIN
Subject: status

Dear user user@DOMAIN ,

Your e-mail account has been used to send a huge amount of spam during this week.
We suspect that your computer had been infected and now contains a trojaned proxy server.

We recommend you to follow our instruction in order to keep your computer safe.

Sincerely yours,
The DOMAIN team.


user@DOMAIN

Visit our website at http://DOMAIN

MPORTANT INFORMATION

This message may contain confidential information and must not be copied, disclosed or used by anybody other than the intended recipient.
If you have received this message in error, please notify us by e-mail
(enquiries@DOMAIN and then delete the email and any copies of it.
Thank you for your assistance.

Please note
We are unable to accept instructions to deal via e-mail nor will we take settlement details via e-mail. Please use a more traditional means of communication to avoid any misuse in these circumstances.


******************************************************************
* PLEASE NOT THIS ATTACHMENT CONTAINS A ACTIVE VIRUS THAT WILL *
* IF EXECUTED CAUSE HARM TO YOUR COMPUTER. *
* MYSELF, GSO OR ANY ADMINS CANNOT BE HELD RESPONSABLE FOR WHAT *
* DATA LOSS OR DAMAGES INCURRED BY DOWNLOADING THIS FILE *
* PASSWORD : V14US *
******************************************************************

we also got this, and a confirmation from trend micro, there will be a patch released soon from trend, but nothing at the moment

update:
seems to be packed with upx, unpacking and throwing in the debugger atm

some output from ida, so you get tosee whats going on kinda...

didnt paste all the strings...
one of the important things may be this string right here,
... where the key is created in registry..

ok soo ..

some good research there...
Actually its not trying to download something.. (or yes.. it is..) but its doing a query at the popular search engines for email adresses which it can sent itself too..

Well, from what I can see, that's why there was big problems with google and other search engines today

good research there....

one question tho since I'm a bit confused with all that stuff, does it open a port or anything, or is it harmless on that side of the virus

MyDoom arrives in e-mail messages as an attachment. When opened by a computer user it creates files that allow it to mail itself to other computer users. It usually appears to the recipient to be a message from a network administrator or trusted contact reporting an e-mail problem like a failed delivery.

MyDoom also leaves an open electronic portal into infected computers. That allows its authors, or any other hackers trolling for unsecured computers, to send other files to the computer, search it for data or use it to broadcast spam.

Google and three other search engines - AltaVista, Lycos and Yahoo - were disrupted by a novel twist in MyDoomM, as the latest version of the worm is called. Instead of mailing itself to every address it finds in the address book of an infected computer, MyDoomM first sends queries to the search engines, looking for evidence of which addresses are active.

The flood of queries was probably intended to make the worm more efficient and help it avoid mailing itself to boxes set up specifically to trap unwanted e-mail, said Jose Nazario, a worm expert at Arbor Networks, a network security company based in Lexington, Mass.

Some security experts say that many of the messages that users received, saying that they could not be connected to Google's servers, may have been generated by their own networks' defense systems once the worm was detected rather than by actual overloads at Google.


Got it from NyTimes.com

well done research i might add .. explains everything, thankfully noone at the company has gotten anything, Kav picks it up with todays updates ( July 26, 2004) and it seems that all computers at the workplace. Although some where infected, and they were only win2k sp2 machines don't know if that has anythign to do with it but im guessing it had to do with the fact of Kav not being updated correctly at 12:00 Noon like all the others but thanks for the info u provided I was able to delete the registry entry and had them re-scanned, the company is safe once again thanks for the research once again twistedps.

-MaNiAx

yea i got this but i opened the file
lol got infected
thanks for the information....removing it now

i can't seem to extract the rar

this version of my doom should also open a port on tcp 1034, don't know if the port needs authentication or if you just have to telnet to it

i cant seem to extract this zip file winzip or winrar
can you try re-uploading it?
thankyou

nice work twistedps , i have been busy so not had a lot of chance to look at this,
yea the zip somehow seems to be corrupt, maybe invisions board AV scanner picked it up?

here it is again,
password: virus
encrypted with winzip level 2

********************************8
* AGAIN PLEASE NOTE THIS IS AN ACTIVE VIRUS YOU ARE ABOUT TO DOWNLOAD
**************************************************************

thanks andydis and twistedps im gonna have some fun with ollydbg and ethereal
lol not very subtle in the ways it goes about harvesting the accounts, lots of hard drive usage and 70% CPU usage

nuorder

glad u got it, pm me and ill give you my msn address if you want? (u 2 twistedps)

would love to know ur ethereal results :-)

ZinCite.A is a new Trojan horse that is dropped by the MyDoom.O worm.

ZinCite.A gives a remote attacker backdoor access, connects to other infected computers for unknown purposes and can receive uploaded executable files.

Creates the following Windows registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Services=Windows directory\services.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Services=Windows directory\services.exe

Once installed, ZinCite.A opens TCP port 1034 and attempts to contact other infected computers.



Cleanup Tool Available Here from Symantec

have any of you seen recent emails with .zip files about 1-2k and .com/.pif's in them?
I've been to a few client sites who are getting TONS of these, and some with scattered data in the body of the email...

I've tried dissassembling the .pif within these files, yet it seems to be packed/encrypted in some way that im unfamiliar with

it seems similar to this MyDoom.M file thats going around but its MUCH smaller as i stated previously.

I've tried running it and monitored my registry and such, and see no changes happen, the .COM/.PIF file seems to terminate with a weird system error, yet doesnt seem like something a virus would produce...

so far i havent seen any implications of this smaller .zip file, yet only time will tell...

the clients that ive seen this running on are commonly using Trend's newest pattern .945 i believe or .954 (i forget),..

its damn suspicious..
i'll be sure to update with any information i found...

sorry i stopped the dissassembly process yesterday, got rushed to a client site to do some stuff, and had to stop 'playin around' hehe..
by the time i got back trend already posted an analysis of it, so no further digging was required.

anyone knows how to use the backdoor spawning on port 1034
scanned 4 it and finds some boxes... no banners and stuff =\

the backdoor is useless, it only gives an open port and then connection abort, absolutely useless like all the other backdoors which come with those worms (I remember that nearly every worm has a correspondent backdoor)
1034 is also well used so it wont be able to run everywhere
imho -> crap

how about reverse engineering the trojan itself

I've gotten the services.exe part where it starts making the file...

here you go
I infected a korean machine and got the trojan, be careful its detected by av scanners
pass: onlyforgso

I also renamed the services.exe because on some machines the windows file protection goes crazy and you cant remove the file anymore

A decompiled version of the exe would help me very much as I'm doing research myself on it also.

Lets go for it m8

thanks for the quick reply and the posting of the services.exe file, seems to be a good find...
this was also upx packed, packed size 8k, unpacked size 10k...

some of the interesting things that i tried to find before...

Yea, but the symantec one is more interesting as it describes the backdoor a little bit more detailed:

I'm assuming a certain packet sequence has to be sent, im compiling some stuff together of the authentication sequence from what i can see so far... to be updated.

alright the string zincite i believe is just the filename of the log file used to store the hacked ip's that its found, still not sure how to retrieve...

hmm.. upon further investigtion i believe that the code i pasted above earlier is actually the process of the hacked ip its found being pushed to the log file...

update: I have port 1034 listening on various servers hopefully an infected machine will try and scan me and give me the information that i need to query the servers
I encourage anyone else to do the same...

how can i do that ? (listening to port 1034 ?)

what software?

Thats a good idea twistedps, I now have a couple machines listening and capturing data on tcp:1034

Evilman: the simplest way would be not to run a firewall, or if you have one, to turn off port blocking. Then when a machine tries to connect, using software, capture the packets sent. A packet sniffer would be the type of software to use here.

as an update, i still have yet to recieve any packets on 1034, i think the mydoom.m virus is dying down..
http://www.dshield.org/port_report.php?port=1034