A worm designed to propagate through email is the main proponent used in the DDoS attacks against high-profile websites in the United States and South Korea.
Detected as WORM_MYDOOM.EA by Trend Micro, it is suspected to have arrived in victims’ inboxes as an attachment to email messages. Upon execution, it registers itself as a system service (like as WMI Performance Configuration or WmiConfig) to ensure execution upon startup. It then drops component files distributed on several infected machines with lists of targets for DDoS.
The worm then gathers email addresses from all files located in the affected system’s Temporary Internet Files folder. It also gathers domain names, and uses them to add more email addresses by prepending the user names such as andrew, brenda, david, and george to the gathered domain names (detailed list can be read here). Additionally, the threat attempts to obtain email server addresses by prepending certain strings to the obtained domain names. Emails with a copy of itself as attachment are sent to the composed addresses through its own SMTP engine. It should be noted, however, that though the code suggests that WORM_MYDOOM.EA propagates through email, we have yet to receive a sample that successfully propagates via email.
Our threat researchers are still analyzing some aspects of this malware, and its components, so we will update this post as necessary as more information becomes available.
Files related to network analysis tools are also deleted in order to prevent the affected user from noticing the heightened network activity caused by the DDoS attack (see Figure 1 for the threat diagram).
The DDoS attack left a number of its target websites inaccessible, which included several of South Korea’s government websites. South Korea is one of the top countries in Asia in terms of Internet usage, with an estimated 36.8 million users.
Users are strongly advised to ignore unsolicited emails to avoid unwillingly partaking in this massive attack.
Updates as of 12 July 2009:
WORM_MYDOOM.EB overwrites the Master Boot Record of all drives in the affected system with the string Memory of the Independence Day. It then searches for files with certain file extensions, creates an archive of all found files, then deletes the original files. Found files which are 0-byte (file size is zero) are automatically deleted. The created archive is protected by a random 8-digit password.