Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
W32.Novarg.A@mm / W32/Mydoom@MM on the loose
Posted on 27-Jan-2004 11:54 | Filed under: News

Security firms are currently investigating a new mass-mailing worm. Initial submissions have been received with file extensions of .exe, .pif, .scr, and .zip. This virus tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present. The body of the message may contain the following variations:

  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.

    The worm itself is encrypted, and security firms are still working on this. Some companies call it W32/Mydoom@MM and others W32.Novarg.A@mm.

    When this file is run it copies itself to the local system with the following filenames:

    c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
    %SysDir%\taskmon.exe
    (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

    It also uses a DLL that it creates in the Windows System directory:

    %SysDir%\shimgapi.dll (4,096 bytes)

    It creates the following registry entry to hook Windows startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe


    When the machine gets infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This will potentially allow a hacker to connect to the machine and utilize it as a proxy to gain access to it's network resources. In addition, the backdoor has the ability to download and execute arbitrary files. The worm will perform a DoS starting on 1 February 2004.


  • More information: http://securityresponse.symantec.com/avcenter...
    Trending now »

    Hot discussions in our forums right now:

    Home insurance: Do you live in an area at high risk of natural disasters?
    Created by frednz, last reply by frednz on 14-Nov-2018 20:19 (57 replies)
    Pages... 2 3 4


    Warped post on 8 month old fence, who's responsible for repair?
    Created by Paul1977, last reply by Paul1977 on 17-Nov-2018 14:12 (61 replies)
    Pages... 3 4 5


    Wanted: Working 5.25 Inch Floppy Drive
    Created by Lias, last reply by Spirax on 14-Nov-2018 19:23 (18 replies)
    Pages... 2


    Spark VDSL Upload Speed Issues Vigor 2860 + Troubleshooting Info
    Created by bener, last reply by bener on 15-Nov-2018 12:34 (29 replies)
    Pages... 2


    Geekzone giveaway: Nokia 7.1 smartphone
    Created by freitasm, last reply by lucky015 on 17-Nov-2018 18:51 (144 replies)
    Pages... 8 9 10


    Controlled/uncontrolled metering (electricity)?
    Created by danepak, last reply by danepak on 16-Nov-2018 23:58 (11 replies)

    Joining Orcon but concern about phone line
    Created by super12345, last reply by super12345 on 15-Nov-2018 17:45 (11 replies)

    Spark unlimited mobile plan update
    Created by freitasm, last reply by Coil on 15-Nov-2018 10:18 (23 replies)
    Pages... 2