[AccessD] WinHaven News Flash - MyDoom/Novarg internet worm

John Bartow john at winhaven.net
Tue Jan 27 08:10:41 CST 2004 

I don't usually send these things to lists but... I sent this to my clients
last night and I am getting blasted by this thing already this morning! Its
going to be a slow day for us dial-uppers :o)  A Dozen and counting!

Hi:
There's a nasty new worm going around the internet. There are many reports
of this worm in the wild and I've already received a number of emails with
this worm attached so be careful!

Official name(s): W32/MyDoom-A, Mimail.R, Novarg.A, Shimg, W32.Novarg.A at mm,
W32/Mydoom at MM

Type: Win32 worm

Detection: The following anti-virus products are presently capable of
detecting this worm with the latest update.
Sophos, Norton, Trend Micro, AVG, F-Secure, McAfee and Panda. Other brands
may be capable, I have not checked.


Description
This is a worm which travels by email and the Kazaa p2p network. The worm
harvests email addresses from your hard disk and uses randomly-chosen
addresses for both the "to" and "from" fields. This means that the "from"
address is spoofed and does not tell you where the mail really came from.
The worm arrives in emails with the following characteristics:

Subject lines include:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Attachment names include:
body
data
doc
document
file
message
readme
test
[random collection of characters]

Attachment extensions:
bat
cmd
exe
pif
scr
zip

This worm attaches itself to emails in either EXE (Windows program) or ZIP
(Zip archive) format. It also drops itself to your System folder under the
name taskmon.exe and also drops a file named shimgapi.dll, which is a
backdoor program loaded by the worm. The backdoor allows outsiders to
connect to TCP port 3127 on your computer.

This worm adds the value:

Taskmon = taskmon.exe

to the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

This means that W32/MyDoom-A loads every time you logon to your computer.

Update those AV prgrams!


Have a good week!

John R Bartow
WinHaven Computer Services
PO Box 130
Winneconne, WI 54986-0130
Office: 920-582-7574
john at winhaven.net

This message is a free service of WinHaven Consulting LLC. If you don't want
to receive these messages please click here:
mailto:techasst at winhaven.net?Subject=Please%20remove%20me%20from%20the%20Win
Haven%20News%20Flash%20email%20list

More information about the AccessD mailing list