Win32.Novarg.A@mm( W32.Novarg.A@mm, Win32.Mydoom.A WORM_MIMAIL.R )
SYMPTOMS: The following files in the %sysdir% folder:taskmon.exe shimgapi.dll The following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon with value %sysdir%\taskmon.exe TECHNICAL DESCRIPTION: This is an internet worm that spreads trough e-mail and has backdoor capabilities.It arrives in the following format: From %rand%@%domains% where %domains% can be one of the following aol.com msn.com yahoo.com hotmail.com or a random string. Subject: Randomly chosen from the following list: test hi hello Mail Delivery System Mail Transaction Failed Server Report Status Error Body: Can be: - Random characters or one of the following strings: test The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: Randomly chosen from the following strings: document readme doc text file data test message body with one of the following extensions: exe, pif, scr, bat, com htm.%one of the above% txt.%one of the above% doc.%one of the above% When the user opens the attachment the worm creates an mutex with name SwebSipcSmtxS0 It opens the notepad with a random binary content. If the date is 12 February or after, the worm stops the spreading rutine. It drops a dll in %sysdir%\shimgapi.dll. This dll is a backdoor component. It copies itself to %sysdir%\taskmon.exe and it adds the following registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon with value %sysdir%\taskmon.exe It the date is 1 February or after it make DoS attack at www.sco.com It will copies itself to kazaa shared folder under the following names: nuke2004 office_crack rootkitXP strip-girl-2.0bdcom_patches activation_crack icq2004-final winamp5 with extensions randomly chosen from the following list: exe, scr, pif, bat It scans for e-mails in the files with the following extension: htm sht php asp dbx tbb adb wab txt The search is initially done in Temporary Internet Files for ensuring a fast initial spreading, and after that on all fixed drives it finds. It skips all e-mails that contains the following strings: .edu, abuse, fcnz, spm, www, secur avp syma icrosof msn. hotmail panda sopho borlan inpris example mydomai nodomai ruslis .gov gov. .mil foo. berkeley unix math bsd mit.e gnu fsf. ibm.com kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst pgp tanford.e utgers.ed mozilla root info samples postmaster webmaster noone nobody nothing anyone someone your you me bugs rating site contact soft no somebody privacy service help not submit feste ca gold-certs the.bat page admin icrosoft support ntivi unix bsd linux listserv certific accoun It waits for connections on TCP port 3127. Removal instructions: Let BitDefender delete all the infected files it finds.ANALYZED BY: Sorin Victor Dudea |