It just went to a Cat 4 over here. Symantec W32.Novarg.A@mm http://www.symantec.com/avcenter/venc/data/w32.novarg.a@private McAfee W32/Mydoom@MM http://vil.nai.com/vil/content/v_100983.htm F-Secure Novarg http://www.europe.f-secure.com/v-descs/novarg.shtml Computer Associates Win32/Shimg http://www3.ca.com/virusinfo/virus.aspx?ID=38102 "Kuo, Jimmy" <Jimmy_Kuo@private> Sent by: owner-crime@private 01/26/2004 02:24 PM To "''Crime List' '" <crime@private> cc Subject CRIME New virus alert: Mydoom!!! Serious stuff going on right now!!! http://vil.nai.com/vil/content/v_100983.htm This is a mass-mailing worm that arrives in an email message as follows: From: (spoofed) Subject: (Random) Body: (Varies, such as) The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes) The icon used by the file tries to make it appear as if the attachment is a text file When this file is run it copies itself to the local system with the following filenames: c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr c:\WINDOWS\Desktop\Document.scr c:\WINDOWS\SYSTEM\taskmon.exe It also uses a DLL that it creates in the Windows System directory: c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes) It creates the following registry entry to hook Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_ CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe The worm opens a connection on TCP port 3127 suggesting remote access capabilities.
This archive was generated by hypermail 2b30 : Mon Jan 26 2004 - 16:28:27 PST