-----Original Message----- From: Kuo, Jimmy [mailto:Jimmy_Kuo@private] Sent: Monday, January 26, 2004 2:59 PM To: George Heuston Subject: FW: New virus alert: Mydoom!!! -----Original Message----- From: Kuo, Jimmy To: '''Crime List' ' ' Sent: 1/26/04 2:48 PM Subject: RE: New virus alert: Mydoom!!! Trend: Mimail.R Symantec: Novarg.A CA: Shimg F-Prot: Novarg -----Original Message----- From: Kuo, Jimmy To: ''Crime List' ' Sent: 1/26/04 2:24 PM Subject: New virus alert: Mydoom!!! Serious stuff going on right now!!! http://vil.nai.com/vil/content/v_100983.htm This is a mass-mailing worm that arrives in an email message as follows: From: (spoofed) Subject: (Random) Body: (Varies, such as) The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes) The icon used by the file tries to make it appear as if the attachment is a text file When this file is run it copies itself to the local system with the following filenames: c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr c:\WINDOWS\Desktop\Document.scr c:\WINDOWS\SYSTEM\taskmon.exe It also uses a DLL that it creates in the Windows System directory: c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes) It creates the following registry entry to hook Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_ CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe The worm opens a connection on TCP port 3127 suggesting remote access capabilities.
This archive was generated by hypermail 2b30 : Mon Jan 26 2004 - 16:03:26 PST