MyDoom.bb prevention and cure

by Guest Contributor | Feb 17, 2005 8:16:00 PM

Takeaway: Like MyDoom.m, this virus uses popular search engines to find its victims. Here are details on how to spot MyDoom.bb and how address the problem.

By Robert Vamosi

CNET Reviews

Yet another virus is using Google and other popular search engines to spread. MyDoom.bb (w32.mydoom.bb@mm) is a direct variant of MyDoom.m, which also pummeled search engines last summer in an attempt to harvest e-mail addresses. In addition, MyDoom.bb attempts to shut down active instances of Outlook and Internet Explorer. The virus affects only Windows computers; users of Mac OS, Linux, and Unix machines are not affected. Because MyDoom.bb spreads via e-mail and may allow remote access to your computer, this worm rates a 6 on the CNET/ZDNet Virus Meter.

How it works
MyDoom.bb arrives by e-mail, using a spoofed sender, and it appears to be a warning from your company or Internet service provider (ISP) regarding recent unsent mail; it includes a "helpful" attachment, which is actually the virus component. One version of the body text reads as follows:

"Dear user of [company name or ISP service], mail server administrator of [company name or ISP service] would like to inform you that: We have detected that your account was used to send a large amount of junk email messages during the recent week. Obviously, your computer had been compromised and now runs a trojan proxy server. Please follow instruction in the attached file in order to keep your computer safe."

According to F-Secure, another version of the body text reads as follows:

"The message was not delivered due to the following reason: Your message could not be delivered because the destination computer was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message could not be delivered within 30 days: Host mail.testnet is not responding. The following recipients did not receive this message: johndoe@testnet Please reply to postmaster@testnet if you feel this message to be in error."

Do not open the attached file!

Should you open the attached file, MyDoom.bb will attempt to download a backdoor Trojan horse known as Surila.o. MyDoom.bb opens a listener on port 1034 and sends out messages using even higher TCP ports looking for other infected machines listening on port 1034. MyDoom.bb also attempts to kill Outlook and Internet Explorer if these apps are running.

MyDoom.bb installs itself as java.exe and adds another file called services.exe to the Windows directory.

C:\WINDOWS\JAVA.EXE
C:\WINDOWS\SERVICES.EXE

The virus changes the following Registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE

And adds the following Registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

Prevention
If you receive MyDoom.bb, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC.

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates (as MyDoom.au), F-Secure, McAfee, Norman (as MyDoom.aq), Panda (as MyDoom.ao), Sophos (as MyDoom.o), Symantec (as MyDoom.ax), and Trend Micro.