This is a non-alert. That is, while we're hearing lots of press on it, we have no confirmation that it's actually spreading. So, if you actually see the .B variant, I would love to know (and send me a sample for confirmation, please). Thanks. Jimmy -----Original Message----- From: Kuo, Jimmy To: ''Crime List' ' Sent: 1/26/04 2:24 PM Subject: CRIME New virus alert: Mydoom!!! Serious stuff going on right now!!! http://vil.nai.com/vil/content/v_100983.htm This is a mass-mailing worm that arrives in an email message as follows: From: (spoofed) Subject: (Random) Body: (Varies, such as) The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes) The icon used by the file tries to make it appear as if the attachment is a text file When this file is run it copies itself to the local system with the following filenames: c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr c:\WINDOWS\Desktop\Document.scr c:\WINDOWS\SYSTEM\taskmon.exe It also uses a DLL that it creates in the Windows System directory: c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes) It creates the following registry entry to hook Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_ CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe The worm opens a connection on TCP port 3127 suggesting remote access capabilities.
This archive was generated by hypermail 2b30 : Wed Jan 28 2004 - 13:04:28 PST