CRIME FW: New virus alert: Mydoom!!!

From: George Heuston (GeorgeH@private)
Date: Mon Jan 26 2004 - 15:00:38 PST

  • Next message: Kuo, Jimmy: "CRIME RE: New virus alert: Mydoom!!!"

    -----Original Message-----
    From: Kuo, Jimmy [mailto:Jimmy_Kuo@private] 
    Sent: Monday, January 26, 2004 2:59 PM
    To: George Heuston
    Subject: FW: New virus alert: Mydoom!!!
    
     
    
    -----Original Message-----
    From: Kuo, Jimmy
    To: '''Crime List' ' '
    Sent: 1/26/04 2:48 PM
    Subject: RE: New virus alert: Mydoom!!!
    
    Trend: Mimail.R
    Symantec: Novarg.A
    CA: Shimg
    F-Prot: Novarg
    
    -----Original Message-----
    From: Kuo, Jimmy
    To: ''Crime List' '
    Sent: 1/26/04 2:24 PM
    Subject: New virus alert: Mydoom!!!
    
    Serious stuff going on right now!!!
    
    http://vil.nai.com/vil/content/v_100983.htm
    
    This is a mass-mailing worm that arrives in an email message as follows:
    
    From: (spoofed)
    Subject: (Random)
    Body:  (Varies, such as) 
    
    The message cannot be represented in 7-bit ASCII encoding and has been
    sent as a binary attachment. 
    Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP
    archive) (22,528 bytes)
    
    The icon used by the file tries to make it appear as if the attachment
    is a text file
    
    
     
    
    When this file is run it copies itself to the local system with the
    following filenames:
    
     c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr 
     c:\WINDOWS\Desktop\Document.scr 
     c:\WINDOWS\SYSTEM\taskmon.exe 
    It also uses a DLL that it creates in the Windows System directory:
    
     c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes) 
    It creates the following registry entry to hook Windows startup:
    
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
    CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
    
    The worm opens a connection on TCP port 3127 suggesting remote access
    capabilities.
    



    This archive was generated by hypermail 2b30 : Mon Jan 26 2004 - 16:03:26 PST