Thread: Update Your Virus Definitions!!!!!!
View Single Post
  #11 (permalink)  
Old 01-26-2004, 08:46 PM
computerworks's Avatar
computerworks computerworks is offline
Senior Club Cobra Member
Visit my Photo Gallery
Lifetime Contributor
 
Join Date: Mar 2001
Location: Northport, NY
Cobra Make, Engine: Kirkham, KMP178 / '66 GT350H, 4-speed
Posts: 10,362
Not Ranked     
Default
(Sorry for the long-winded, techie stuff here, but this worm may get epidemic in the next few days).

As of this evening, both McAfee and Trend Micro Antivirus software will detect and fix this worm, as well as Norton. McAfee recognizes it as W32/Mydoom@MM and Trend sees it as WORM_MIMAIL.R.

If you did open the attachment, it did the following:

It creates the following files:

"shimgapi.dll" in %System%
"Message" in %temp%. This file is full of random letters and is displayed via Notepad.
"taskmon.exe" in %System%. If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.


Shimgapi.dll acts as a proxy server. It opens TCP ports in the range of 3127 to 3198 for listening.


Adds the value
TaskMon = %System%\taskmon.exe
to the registry keys
HKEY_CURRENT_USER\Software\Microsft\Windows\Curren tVersion\Run
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run


Can perform a Denial of Service against www.sco.com. Creates 64 threads which send GET requests. The DoS is active between February 1, 2004 and February 12, 2004.


Creates the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Explorer\ComDlg32\Version
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Explorer\ComDlg32\Version


Searches for email addresses in files with the following extensions. It ignores addresses which end in ".edu".

.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt


Attempts to send emails by using its own SMTP engine. It performs a lookup of the mail server of the recipient in order to send. If it is unsuccessful it will use the local mail server.


The email will have the following characteristics:

From: may be a spoofed from address
Subject:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attachment:
document
readme
doc
text
file
data
test
message
body

with one of the following suffixes:
pif
scr
exe
cmd
bat
zip


Copies itself to KaZaA download directory as one of the following files:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with a file extension of pif or scr or bat

To get rid of it

Update your virus defitions, disconnect from the internet, scan and delete any file that is found to be infected.

Then, CAREFULLY edit the Registry to remove the starter files:
(If you have never edited the Registry, and are unsure of what you are doing, as for help from someone who can do it)

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run

In the right pane, delete the value:

"Taskmon"="%System%\taskmon.exe"


Navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Explorer\ComDlg32\Version

and delete it.


Navigate to the key

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Explorer\ComDlg32\Version

and delete it.

Exit the Registry Editor.
Reply With Quote