Here's another alert for everyone, too.
VIRUS ALERT! Win32/Mydoom.A@mm
January 27, 2004 - RAV AntiVirus Team is alerting all computer users
that a dangerous Internet worm, called Win32/Mydoom.A@mm, is
reported to have a high infection level in the last 24 hours. This
worm is classified as "Potentially destructive" by RAV Team
and its spreading process has been carefully followed in the last 24
hours.
The signature of Win32/Mydoom.A@mm is included in the database of RAV
Engine starting with January 27, 2004. All RAV AntiVirus products
using daily updates after this date are able to detect and clean the
worm.
A short description of the worm is available below.
1. Description
2. How to recognize the worm
3. How to disinfect your computer
4. Evilness
5. More info
1. Description
Win32/Mydoom.A@mm is a highly spreading mass mailer internet worm,
with a complex structure and is also able to spread using Kazza file
sharing network. It is packed with UPX and its size is about 22.5Kb
long packed and about 33Kb long unpacked.
The worm is able to spread using Kazaa file sharing network, and will
try to copy itself in the Kazaa Shared Folder using one of the name:
"winamp5", "icq2004-final",
"strip-girl-2.0bdcom_patches", "rootkitXP",
"office_crack", "nuke2004" and one of the
extension: ".pif", ".scr", ".exe",
".bat".
To be less suspicious, when is executed will drop a file named
"message" with random content, and will spawn a
"notepad.exe" process to open that file.
The worm will create a mutex object called "SwebSipcSmtxS0"
to avoid running more than one copy of itself in the same time. In
the "%system%" folder will be dropped and then loaded a
library named "shimgapi.dll". Also Win32/Mydoom.A@mm will
copy itself as "taskmon.exe" in the "%system%"
folder. The "shimgapi.dll" library will then set itself,
using specific registry key, to be loaded by "explorer.exe"
at each computer restart. To be started each time Windows starts, a
new entry called "TaskMon" will be created in the
"Software\Microsoft\Windows\CurrentVersion\Run" registry
key, with the "taskmon.exe" path as value.
Depending on the current time, the Win32/Mydoom.A@mm will try to
initiate a DoS attack to
www.sco.com by sending at regular time
intervals HTTP GET requests from up to 63 threads simultaneous. Also,
depending on the current system time the worm will not spread any
more.
Win32/Mydoom.A@mm will listen for connections from a large range of
ports, working this way as a proxy server.
For a complete description of the worm, please read
http://www.ravantivirus.com/virus/showvirus.php?v=2052. How to recognize the worm
The worm can arrive as a mail attachment, with double extension. The
first extension can be ".txt" followed by a big number of
spaces and the second extension can be: ".pif",
".exe", ".cmd", ".scr",
".bat". The file name will be randomly chosen from one of
the following:
- "document",
- "readme",
- "doc",
- "text",
- "file",
- "data",
- "test",
- "message",
- "body".
The attachment can also be present as a zip archive.
Both the "from" and "to" fields will be spoofed
and randomly set to one of the combinations from the worm hard-coded
list.
The "Subject" field will be set to one of the possible
values:
- "test",
- "hi",
- "hello",
- "Mail Delivery System",
- "Mail Transaction Failed",
- "Server Report",
- "Status",
- "Error".
And the message body can contain one of the following :
- "test",
- "The message cannot be represented in 7-bit ASCII encoding and
has been sent as a binary attachment.",
- "The message contains Unicode characters and has been sent as
a binary attachment.",
- "Mail transaction failed. Partial message is available.".
3. How to disinfect your computer
a. click Start>Run and type "regedit";
b. browse to
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] OR
to [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
and delete the following registry key:
"d3update.exe" = "%system%\bbeagle.exe"
c. update your RAV AntiVirus software;
d. scan and delete all files reported by your RAV AntiVirus product
as infected with Win32/Mydoom.A@mm.
e. restart your computer.
Note1: Incorrect changes to the registry could result in permanent
data loss or corrupted files. We strongly recommend that you back up
your system registry before making any change.
Note2: If you are using Windows Millennium Edition (ME) or Windows
XP, you should disable the System Restore feature before scanning the
system with RAV AntiVirus and re-enable it afterwards. Please contact
your system administrator for information on how to disable this
feature.
4. Evilness
Potentially destructive (corrupts data while replicating).
5. More info
The latest details about Win32/Mydoom.A@mm and a complete description
can be found on our website:
http://www.ravantivirus.com/virus/showvirus.php?v=205
Author