蠕虫病毒Win32.Mydoom.BD 劫持Exchange自动给用户发送病毒通知邮件

病毒名称：蠕虫病毒Win32.Mydoom.BD

其它名称：WORM_MYDOOM.AG (Trend), W32/Mydoom.AY@mm (F-Secure), Win32.Mydoom.BD, W32.Mydoom.CI@mm (Symantec), Win32/MyDoom.O!Worm, W32/Mydoom.o@MM (McAfee), W32/MyDoom-BC (Sophos), Email-Worm.Win32.Mydoom.am (Kaspersky)

病毒属性：蠕虫病毒 危害性：中等危害 流行程度：高

具体介绍：

病毒特征：

Win32.Mydoom.BD是一种通过邮件传播并安装后门的蠕虫。

感染方式：

Mydoom.BD复制到%Windows%java.exe，并修改以下注册表，以确保在每次系统启动时运行蠕虫：

HKLMSoftwareMicrosoftWindowsCurrentVersionRunJavaVM = "%Windows%java.exe"

注：‘%Windows %’是一个可变路径。病毒通过查询操作系统来决定当前Windows文件夹的位置。Windows 2000 and NT默认的系统安装路径是C:Winnt； 95，98 和 ME 的是C:Windows； XP 的是C:Windows。

蠕虫还会生成%Windows%services.exe文件并运行它。蠕虫还会修改以下键值，以确保在每次系统启动时运行这个文件：

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices = "%Windows%services.exe"

蠕虫使用一个互斥体，确保只有一个副本运行。蠕虫使用主机名附加"root"字符串生成互斥体的名称。蠕虫使用任意大写字母替代非字母字符。例如，如果计算机名是"Billy_22"，那么互斥体的名称可能是"BillyZJQroot"。

传播方法：

通过邮件传播

Mydoom.BD通过邮件传播。为了发送邮件到蠕虫获取的地址，蠕虫直接连接用户的邮件服务器，而不是使用现有的邮件程序。蠕虫执行DNS MX (mail exchanger)查询为每个域找到适合的邮件服务器来发送病毒。它使用本地系统配置默认的DNS服务器执行查询。如果不能发现邮件服务器，它会根据以下字符串为前缀的邮件地址域名猜测用户的邮件服务器：

mail.

smtp.

mx.

蠕虫使用用户的Windows Address Book获取邮件地址，并查找本地带有以下扩展名的文件：

.pl*

.ph*

.tx*

.tbb*

.wab*

.asp*

.adb*

.sht*

.dbx*

.ht*

它还会使用公共的搜索引擎，例如Google，Lycos，Altavista ，Yahoo!。搜索内容包括从已经获得的地址的域名，和以下词中的一个：

reply

mailto

email

e-mail

mail

contact

搜索结果的数量从20，50和100中任意选择，或者蠕虫没有指定的数字。随后将结果保存在磁盘上，并使用相同的方式搜索页面。

病毒避免发送邮件到包含以下子串的域名：

arin.

avp

bar.

domain

example

foo.com

gmail

gnu.

google

hotmail

microsoft

msdn.

msn.

panda

rarsoft

ripe.

sarc.

seclist

secur

sf.net

sophos

sourceforge

spersk

syma

trend

update

uslis

winrar

winzip

yahoo

它还会避免发送邮件到带有以下用户名的地址：

anyone

ca

feste

foo

gold-certs

help

info

me

no

nobody

noone

not

nothing

page

rating

root

site

soft

someone

the.bat

you

your

还有包含以下子串的用户名也不发送：

abuse

accoun

admin

bugs

listserv

mailer-d

master

ntivi

privacycertific

sample

secur

spam

submit

support

蠕虫可能使用获取的邮件地址伪造发件地址，或者根据收件域名和以下一个用户名创建一个地址：

postmaster

MAILER-DAEMON

noreply

发件人可能使用以下名字：

Bounced mail

Mail Administrator

Mail Delivery Subsystem

MAILER-DAEMON

Post Office

Postmaster

Returned mail

The Post Office

可能的邮件主题：

hello

hi

error

status

test

report

delivery failed

Message could not be delivered

Mail System Error - Returned Mail

Delivery reports about your e-mail

Returned mail: see transcript for details

Returned mail: Data format error

附件名称可能是：

attachment

document

file

instruction

letter

mail

message

readme

text

transcript

带有以下扩展名：

.bat

.cmd

.com

.exe

.pif

.scr

用户的邮件地址或域名可能用作文件名称。如果这个名称以 .com结尾，蠕虫可能不添加其它的扩展名。附件也可能是以.zip为扩展名的。

Mydoom.BD可能以.doc, .txt, .htm, 或 .html 作为仿造的扩展名，后面加上很多个空格，在加上以上扩展名，例如：

"attachment.doc .exe"

恶意程序可能使用一个信封的图标。

邮件内容可能是：

蠕虫通过改变词、短语或标点来改变邮件内容。这样会有很多中可能的邮件内容，例如：

§ Dear user [(recipient domain) or of (recipient domain)], [[Mail or mail] [system or server] [administrator or administration] of (recipient domain) would like to [inform you that[: or ,]] or let you know [that or the following][. or : or ,] or (blank)]

We have [detected or found or received] reports that [your or Your] [e-mail or email] account [has been or was] used to send a [large or huge] amount of [[unsolicited [ commercial or (blank)] or junk] [e-mail or email or spam][ messages or (blank)] [during this or the [last or recent]] week.

[We suspect that or Probably, or Most likely or Obviously,] your computer [had been or was] [compromised or infected [ by a recent virus or (blank)] and now [runs or contains] a [trojan or trojaned or (blank) or hidden] proxy server.

[Please or We recommend [that you or you to]] follow [our or the or (blank)]instructions or instruction] [in the [attachment or attached [text or file] or (blank)] in order to keep your computer safe.

[[Virtually or Sincerely] yours or Best [wishes or regards or Have a nice day], [(recipient domain) [user or technical or (blank)] support team. or The (recipient domain) [support or (blank)] team.

§ [The or This or Your] message was[ undeliverable or not delivered] due to the following [reasons or reason]:

Your message [was not or could not be] delivered because the destination [computer or server] was

[not or un]reachable within the allowed queue period. The amount of time

a message is queued before it is returned depends on local configura-

tion parameters.

Most likely there is a network problem that prevented delivery, but

it is also possible that the computer is turned off, or does not

have a mail system running right now.

Your message [was not or could not be] delivered within (a random digit) days:

[[Mail [server or Server]] or Host] (random IP)) is not responding.

The following recipients [did or could] not receive this message:

<(recipient address)>

Please reply to postmaster@[(sender domain) or (recipient domain)]

if you feel this message to be in error.

§ Dear user of (recipient domain),

We have found that your email account was used to send a huge amount of spam messages during the recent week.

Obviously, your computer was compromised and now runs a hidden proxy server.

We recommend that you follow our instructions in the attachment in order to keep your computer safe.

Best regards,

The (recipient domain) support team.

邮件内容还可能是空的，或者是任意的，或者从以下选择：

§ The original message was included as attachment

§ [The or Your] [message or Message] could not be delivered

§ The original message was received at [(date)] [(line feed) or (space)]

from[(recipient domain)[random IP address] or (random IP address) or [(random IP address)]]

----- The following addresses had permanent fatal errors -----

(recipient address)

以上内容还可能改变为：

§ ----- Transcript of [the or (blank)] session follows -----

... while talking to [[host or mail or (blank)] server or (blank)] [(recipient domain) or (random IP address)]:

也可能是以下的一个或几个：

§ >>> MAIL [From or FROM]:(sender domain)

§ <<<50(random digit) [(sender domain...) or (blank)][Refused or [Access [denied or Denied]]]

§ [User or Domain or Address] [unknown or blacklisted]

§ 554 <(recipient domain)>... [Mail quota exceeded or Message is too large]

§ 554 <(recipient domain)>... Service unavailable

§ 550 5.1.2 <(recipient domain)>... Host unknown (Name server: host not found)

§ 554 [5.0.0 or (blank)]Service unavailable; [(random IP address)] blocked using [relays.osirusoft.com or bl.spamcop.net]

[, reason: Blocked or (blank)]

§ Session aborted[, reason: lost connection or (blank)]

§ >>> RCPT To:<(recipient address)>

§ <<<550 [MAILBOX NOT FOUND

§ 5.1.1 <(recipient address)>... [User unknown or Invalid recipient or Not known here]

§ >>> DATA

§ <<<400-aturner; %MAIL-E-OPENOUT, error opening !AS as output

§ <<<400-aturner; -RMS-E-CRE, ACP file create failed

§ <<<400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded

§ <<<400

§ (blank)

以下是邮件示例：

—–Original Message—–

From: Bounced mail [mailto:MAILER-DAEMON@abc.cn]

Sent: Tuesday, December 03, 2013 10:16 PM

To: Patric Xu

Subject: Returned mail: see transcript for details

Dear user of abc.cn,

Your email account has been used to send a large amount of spam during the recent week.

We suspect that your computer had been infected by a recent virus and now contains a hidden proxy server.

We recommend you to follow our instruction in the attached file in order to keep your computer safe.

Best regards,

abc technical support team.