MoMusings

The morning started off with a bang, was it an Atak or were we all MyDoomed again?

Sitting in my mailbox malware folder what do I find but a new piece of malware. So I start to prod it and poke it, scan it, decode it, unzip the attached zip and get a CRC error, very odd!

Thirteen scanners later, and only one detects anything nasty in the file….stranger and stranger.

So is it a corrupted sample or something new?

All will be revealed below:

Here’s an example e-mail:

< -- start of example e-mail -- >

Return-path:
Received: from xxxx.xx (210.xxx.xxx.xx) by arachnid.homeip.net (Mercury/32
v4.01a) with ESMTP ID MG005D88;
3 Dec 2004 11:51:33 -0000
From: xxxxx@xxxxxx.xx
To: martin@xxxxxx.com
Subject: It’s begin here!
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_3317″
X-Priority: 1
X-MSMail-Priority: High
X-Text-Classification: malware
X-Recipient:
Status: RO
X-Status: R
X-KMail-EncryptionState: N
X-KMail-SignatureState: N
X-KMail-MDN-Sent:

This is a multi-part message in MIME format.

——=_3317
Content-Type: text/plain;
charset=”Windows-1252″
Content-Transfer-Encoding: 7bit

Hello mssupport

Your request has been accepted.
Your account info:

>> Email:
>> Password: 1c82

Visit our website to get more info at: http://www.microsoft.com

NOTE: All your account information has been attached as file and ready to be
printed.

——=_3317
Content-Type: application/octet-stream;
name=”oowqw.zip”
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=”oowqw.zip”

< -- MIME encoded worm body snipped for safety -->
< -- end of example e-mail -->

Here’s the other body text I’ve seen:

< -- start of example e-mail -->
Hello mmay

Your request has been accepted.
Your account info:

>> Email:
>> Password: 2555

Visit our website to get more info at: http://www.dnaco.net

NOTE: All your account information has been attached as file and ready to be
printed.
< -- end of example e-mail -->

Attachment name so far seen:
xqibqko.zip
aykn.zip
oowqw.zip

Zip files sizes vary, but so far are between 12,153 to 12,343 bytes

The samples binary when extracted from its .ZIP container seems to be
static (however all extracts report CRC errors in the samples I have so far,
this could be a red herring, or error on the part of the malware author?),
details below:

MD5: b594fc33348c631b69471afa7d2f24c3
FileSize: 12,037 bytes

Samples have been sent to the vendors.

This data has come back from Norman, results of testing it in their sandbox
(which seems to clearly show that it works):

00:03 | q:\aykn..exe - infected with unknown worm - W32/EMailWorm

[ General information ]
* File length: 12037 bytes.
* Total emulation cycles required: 13651752.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\a1g.exe.
* Creates file C:\WINDOWS\TEMP\tmp0919.tmp.
* Deletes file C:\WINDOWS\TEMP\tmp0919.tmp.
* Creates file C:\WINDOWS\TEMP\tmp0909.tmp.
* Creates file C:\WINDOWS\TEMP\tmp0918.tmp.
* Deletes file C:\WINDOWS\TEMP\tmp0909.tmp.

[ Changes to system settings ]
* Modifies profile key “load”=”C:\WINDOWS\SYSTEM\a1g.exe” in section
[windows] of file win.ini.

[ Network services ]
* Looks for an Internet connection.
* Connects to “CONFIGURED_DNS” on port 53 (UDP).
* Connects to “mailin-02.mx.manpower.no” on port 25 (TCP).
* **Connects SMTP server.

[ Network ]
* **Uses IPHLPAPI services.

[ Spreading through EMail ]
* To :
.
* From : ritasvee@online.no.
* Subject: It’s begin here!.
* Mass-mailer; spreads through SMTP.

[ Process/window information ]
* Creates a mutex mtxSSS.

Update:

McAfee has released a description and specific detection of this as
W32/Atak.d@MM Description can be found here

Kaspersky have added detection of this as Email-Worm.Win32.MyDoom.ad

Panda have just informed me that they are also calling is Atak.d

SOPHOS has now joined the Atak.d camp and F-Secure have also confirmed it is a member of the Atak family and Symantec have just informed me that they are classifying it as W32/Atak.B@mm, so Kaspersky I think a name-change is in order, don’t you?

The bad ‘CRC’ error which I noted in my original analysis is actually a ploy used by this worm to try and stop common decompression tools from opening it, thus stopping it from being scanned…..interesting trick!