CRIME New virus alert: Mydoom!!!

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Mon Jan 26 2004 - 14:24:49 PST

  • Next message: George Heuston: "CRIME FW: New virus alert: Mydoom!!!"

    Serious stuff going on right now!!!
    
    http://vil.nai.com/vil/content/v_100983.htm
    
    This is a mass-mailing worm that arrives in an email message as follows:
    
    From: (spoofed)
    Subject: (Random)
    Body:  (Varies, such as) 
    
    The message cannot be represented in 7-bit ASCII encoding and has been sent
    as a binary attachment. 
    Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP
    archive) (22,528 bytes)
    
    The icon used by the file tries to make it appear as if the attachment is a
    text file
    
    
     
    
    When this file is run it copies itself to the local system with the
    following filenames:
    
     c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr 
     c:\WINDOWS\Desktop\Document.scr 
     c:\WINDOWS\SYSTEM\taskmon.exe 
    It also uses a DLL that it creates in the Windows System directory:
    
     c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes) 
    It creates the following registry entry to hook Windows startup:
    
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
    CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
    
    The worm opens a connection on TCP port 3127 suggesting remote access
    capabilities.
    



    This archive was generated by hypermail 2b30 : Mon Jan 26 2004 - 15:24:31 PST