MyDoomed Again and Windows XP Broken?
I’m back from two weeks vacation and raring to get the bit back between my teeth……truth to tell, even though I’ve been (officially) on leave, I’ve still been keeping my finger on the pulse of the malware scene, and caught a number of new worms….but that’s another story.
We’re All MyDoomed Yet Again!
What a welcome back! No sooner than I get back in the ’saddle’ than along comes a new MyDoom variant; known as MyDoom.s (or MyDoom.q or MyDoom.[insert letter here]*). It is a simple mass-mailer which when launched will download a backdoor from a number of sites that have been seeded. More details can be found below and by following the links to several AV companies:
The e-mail that arrives from an infected host has an attachment called “photos_arc.exe” and has the following subject and body text:
Subject: photos Body Text: LOL!;))))
When the attachment is run, the virus copies itself to the WINDOWS (%WinDir%) directory as rasor38a.dll , and to the SYSTEM (%SysDir%) directory as winpsd.exe.
The virus creates the following registry key values:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ ComDlg32 * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ ComDlg32 * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \"winpsd\" = C:\WINDOWS\System32\winpsd.exe
The virus then downloads the backdoor component from one of two different websites:
Links to full descriptions from a selection of AV vendors:
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
My generic MyDoom SNORT signature flagged it fine, as did POPFile (I’m using Bayesian Filtering techniques to identify new malware, as well as SPAM et al). However I also created distinct SNORT signatures to detect it (and the backdoor too).
*One day all AV companies will finally agree on a single naming standard and apply it consistantly [yeah right 
], so that we don’t have this horrible mess we have with a number of malware families.
XP2 Breaks Windows Applications!
Well, I took the plunge and updated my Windows XP system to SP2, and boy did it break things!
It broke my Sygate personal firewall installation (caused it to completly fail, even when the ICF was switched off!), it complained about my AV (that I had too many installed?**), it blocked remote access to a number of servers (FTP,HTTP,VNC….) that I use on my private IP address range.
If MS don’t sort out these issues then I feel very sorry for the Joe/Jo Average’s out there that install it, as they (Mr/Mrs/Miss/Ms Average) are going to have a hell of a time sorting out the problems it will cause them.
So, I did some more research and it seems that SP2 for Windows XP breaks and interferes with numerous applications (which worked fine with SP1 incidentally). You can find more details via the links below.
Microsoft’s own page about this issue
ISC shared experiences can be found here
Is this a case where the cure is worse than the disease? Probably not, but it is a close call….Microsoft better fix these problem soon or less than 20% of users will risk the upgrade to SP2!
PS I must clearly state that many of the changes in SP2 are inherently ‘good’, it is just that the implementation is the usual Microsoft one of “Let’s use our customers as Guinea Pigs…”
**No, I don’t have them all running on-access, they are used on-demand for testing new samples.
UPDATE: Oh joy, more flaws have been found in the ‘new’ security features of SP2. I have already discussed the ‘TCP/IP Throttle’ feature and how it can be bypassed, now more revelations…can be found here.
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/momusings/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
