Mydoom worm

[Worldlife]

This one seemed to deserve a special email from Etrust EZVirus

Virus Alert Notification

Win32.Mydoom.A Worm
Alias: W32.Novarg.A@mm (Symantec),
W32/Mydoom@MM (McAfee),
Win32/Shimg
Category: Win32
Type: Worm
Published Date: 1/26/2004
Last Modified: 1/26/2004


CHARACTERISTICS

Win32.Mydoom.A is a worm spreading via e-mail and the Kazaa P2P file sharing network. The worm has been distributed as 22,528-byte, UPX-packed Win32 executable and may be included in a ZIP archive.

Method of Distribution

Via E-mail

The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension.

The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:

Server Report
Mail Delivery System
hi
status
hello
HELLO
Hi
test
Test
Mail Transaction Failed
Server Request
Error

The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. An example of a Message Body used by the worm:

The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:

Data
Readme
Message
Body
Text
file
doc
document


Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.


Via P2P File Sharing

The worm spreads through the KaZaA P2P file sharing network. It copies itself to the transfer folder using the following names:

nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp5

Possible extensions are:

bat
exe
pif
scr

Method of Installation

When executed, the worm copies itself to the %System% directory as taskmon.exe and modifies the registry in order to run at the next system re-start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \TaskMon = "%System%\taskmon.exe"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is CWinnt\System32; for 95,98 and ME is CWindows\System; and for XP is CWindows\System32.

The worm also creates a file called SHIMGAPI.DLL in the %System% directory. The dropped DLL registers itself in the registry:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\[Default] = "%System%\shimgapi.dll"

Payload

Backdoor Functionality

Win32.Mydoom opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199)

Analysis by Jakub Kaminski

Note: This is a preliminary analysis - further detail will be published as it comes to hand.


MINIMUM ENGINE/SIGNATURE INFORMATION

Product Version 6.1 - Signature file Version 5180

For more information about Win32.Mydoom.A worm please click here.



--------------------------------------------------------------------------------


It is important that you keep your antivirus software up to date at all times! This message is to inform you that the latest update has been uploaded to my-eTrust.com site for you to download.

For instructions on how to autodownload or download signature files manually click here

Unsure of your product version number?
To find your product version number, right click on the EZ Antivirus taskbar icon and select "Version". Your product version number will be presented in a pop-up box on your screen.

My version is not listed here, how do I upgrade to Version 6.1?
Click Here to upgrade for FREE during your subscription!

Are these signature file updates cumulative?
Yes, please remember that these signature file updates are cumulative: therefore the latest update includes everything from all previous updates as well as the new virus information.


--------------------------------------------------------------------------------

Did You Know?
eTrust EZ Antivirus version 6.1 is automatically scheduled to download signature files every 24 hours silently (in the background) without any user intervention. If you are automatically connected to the Internet, there's no need to worry about updating your software daily when you receive these reminders. If you would like to change your notification settings to only be notified of High Alert Viruses, please click here


--------------------------------------------------------------------------------
Information on Viruses, Worms, and Trojans can be found in our Virus Information Center

Feedback? Comments? Suggestions? To fill out our online contact forms click here.

Note: This address should be used only for feedback on this newsletter. If you encounter any problems or you require assistance, please visit the support area of our website here.

Unsubscribe
You have received this email because you chose to receive virus signature update notifications as a registered user of my-eTrust software. If you would like to change your personal options, please click here.

[gem]

Already posted. see here.