Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
W32.Novarg.A@mm / W32/Mydoom@MM on the loose
Posted on 27-Jan-2004 11:54 | Tags Filed under: News



Security firms are currently investigating a new mass-mailing worm. Initial submissions have been received with file extensions of .exe, .pif, .scr, and .zip. This virus tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present. The body of the message may contain the following variations:

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.

    The worm itself is encrypted, and security firms are still working on this. Some companies call it W32/Mydoom@MM and others W32.Novarg.A@mm.

    When this file is run it copies itself to the local system with the following filenames:

    c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
    %SysDir%\taskmon.exe
    (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

    It also uses a DLL that it creates in the Windows System directory:

    %SysDir%\shimgapi.dll (4,096 bytes)

    It creates the following registry entry to hook Windows startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe


    When the machine gets infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This will potentially allow a hacker to connect to the machine and utilize it as a proxy to gain access to it's network resources. In addition, the backdoor has the ability to download and execute arbitrary files. The worm will perform a DoS starting on 1 February 2004.


  • More information: http://securityresponse.symantec.com/avcenter...

    comments powered by Disqus


    Trending now »

    Hot discussions in our forums right now:

    IPv6 beta for Bigpipe
    Created by JoshBigpipe, last reply by michaelmurfy on 29-Mar-2017 12:25 (95 replies)
    Pages... 5 6 7


    Dishwasher Recommendations Please
    Created by tdgeek, last reply by trig42 on 29-Mar-2017 16:26 (30 replies)
    Pages... 2


    New fibre speed boost only get half speed
    Created by Jekkyl, last reply by Jekkyl on 29-Mar-2017 18:04 (53 replies)
    Pages... 2 3 4


    The President Of The USA: Donald Trump
    Created by TimA, last reply by joker97 on 29-Mar-2017 12:10 (3690 replies)
    Pages... 244 245 246


    Dell laptops shipping with 10/100 ethernet adapters -Am I being ripped off?
    Created by Fishfingers, last reply by networkn on 27-Mar-2017 17:54 (50 replies)
    Pages... 2 3 4


    Temperature Monitoring
    Created by michaelmurfy, last reply by richms on 25-Mar-2017 23:38 (21 replies)
    Pages... 2


    USB sticks for backup (Sandisk Extremes).
    Created by rayonline, last reply by Dynamic on 29-Mar-2017 17:43 (20 replies)
    Pages... 2


    TiVo Service ending on 31 October 2017
    Created by Riggleby, last reply by old3eyes on 28-Mar-2017 11:15 (566 replies)
    Pages... 36 37 38