High-Level-Alert W32.Novarg.A@mm alias W32/Mydoom@MM

Lutz

Moin,
es gibt mal wieder ein High-Level-Alert.
Auf die schnelle habe ich mal folgendes aus mehreren Infos 'zusammengestrickt':

****************************
W32.Novarg.A@mm is an encrypted mass-mailing worm that arrives as an
attachment with either a .exe, .scr, .cmd, .zip, or .pif extension. It
also performs a denial of service attack on sco.com and allows
unauthorized remote access to the compromised host.

Technical Description
----------------------
W32.Novarg.A@mm is an encrypted mass-mailing worm that arrives as a
message attachment using either a .exe, .scr, .cmd, or .pif extension.
These files may be included as an attached .zip archive.

The message may have the following properties:
Subject may include the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report Status Error

Message Body varies. The following is one example:
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.

The attachment may be one of the following filenames with a .exe, .scr,
.zip, or .pif extension:
document
readme
doc
text
file
data
test
message body

The icon used may be that of a text file.

When the attachment is executed, Notepad will open displaying garbage
characters from the file %Temp%\Message dropped by the worm.

Next, it creates the following copy of itself: %System%\taskmon.exe

The worm then creates the following registry entries so that it executes
every time Windows starts: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon
= %System%\taskmon.exe

HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run\TaskMon =
%System%\taskmon.exe

The following registry keys are also created: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Com
Dlg32\Version

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComD
lg32\Version

The worm also copies itself to the user's Kazaa downloads directory
using one of the following filenames:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with one of the following extensions:
pif
scr
bat

Additionally, the worm drops the following file: %System%\shimgapi.dll

This file appears to function as a back door that allows remote access
to a compromised host on TCP port 3127. Evidence suggests that this back
door may also allow the compromised system to be used as a remote proxy.

The worm also appears to be capable of performing a denial of service
attack on the website sco.com.


References
- ----------
Symantec W32.Novarg.A@mm http://www.symantec.com/avcenter/ven...varg.a@mm.html
McAfee W32/Mydoom@MM http://vil.nai.com/vil/content/v_100983.htm
F-Secure Novarg http://www.europe.f-secure.com/v-descs/novarg.shtml
Computer Associates Win32.Mydoom.A http://www3.ca.com/virusinfo/virus.aspx?ID=38102
Trend Micro WORM_MIMAIL.R http://www.trendmicro.com/vinfo/viru...=WORM_MIMAIL.R
Norman W32/MyDoom.A@mm http://www.norman.com/virus_info/w32_mydoom_a_mm.shtml
Sophos W32/MyDoom-A http://www.sophos.com/virusinfo/anal...32mydooma.html
****************************

Die mir bekannten 'größeren' AV-Hersteller haben ihre Signaturen bereits aktualisiert, bzw. werden im Laufe des Tages nachziehen.
Ein Update des Virenscanners ist also dringend angeraten....

tschööö, DerBilk

Nachtrag:
Die ersten Removal-Tools habe ich gerade entdeckt: Bitdefender
und
Stinger von McAfee
Diese Liste erhebt natürlich keinen Anspruch auf Vollständigkeit...

[ 27. Januar 2004, 10:59: Beitrag editiert von: DerBilk ]

__________________
Gruß, Lutz
***
"Nur weil ich paranoid bin, bedeutet das nicht, dass sie nicht hinter mir her sind!" (Matthias Deutschmann)