(Sorry for the long-winded, techie stuff here, but this worm may get epidemic in the next few days).
As of this evening, both McAfee and Trend Micro Antivirus software will detect and fix this worm, as well as Norton. McAfee recognizes it as W32/Mydoom@MM and Trend sees it as WORM_MIMAIL.R.
If you did open the attachment, it did the following:
It creates the following files:
"shimgapi.dll" in %System%
"Message" in %temp%. This file is full of random letters and is displayed via Notepad.
"taskmon.exe" in %System%. If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.
Shimgapi.dll acts as a proxy server. It opens TCP ports in the range of 3127 to 3198 for listening.
Adds the value
TaskMon = %System%\taskmon.exe
to the registry keys
HKEY_CURRENT_USER\Software\Microsft\Windows\Curren tVersion\Run
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
Can perform a Denial of Service against
www.sco.com. Creates 64 threads which send GET requests. The DoS is active between February 1, 2004 and February 12, 2004.
Creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Explorer\ComDlg32\Version
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Explorer\ComDlg32\Version
Searches for email addresses in files with the following extensions. It ignores addresses which end in ".edu".
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
Attempts to send emails by using its own SMTP engine. It performs a lookup of the mail server of the recipient in order to send. If it is unsuccessful it will use the local mail server.
The email will have the following characteristics:
From: may be a spoofed from address
Subject:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment:
document
readme
doc
text
file
data
test
message
body
with one of the following suffixes:
pif
scr
exe
cmd
bat
zip
Copies itself to KaZaA download directory as one of the following files:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with a file extension of pif or scr or bat
To get rid of it
Update your virus defitions, disconnect from the internet, scan and delete any file that is found to be infected.
Then, CAREFULLY edit the Registry to remove the starter files:
(If you have never edited the Registry, and are unsure of what you are doing, as for help from someone who can do it)
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
In the right pane, delete the value:
"Taskmon"="%System%\taskmon.exe"
Navigate to the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Explorer\ComDlg32\Version
and delete it.
Navigate to the key
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Explorer\ComDlg32\Version
and delete it.
Exit the Registry Editor.
Threaded Mode
