Shinobi
01-26-04, 11:03 PM
Update your AV Progs - Tks for your Attn - Shinobi :)
-------------------------------------------------------------------------------
W32.Novarg.A@mm 4
Discovered on: January 26, 2004
Last Updated on: January 26, 2004 06:08:08 PM
W32.Novarg.A@mm is a mass-mailing worm. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip. The worm also contains functionality to perform as a proxy server. It listens on all TCP ports in the range 3127-3198.
The worm will perform a DoS starting on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading.
--------------------------------------------------------------------------------
Note: Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
--------------------------------------------------------------------------------
Also Known As: W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend]
Type: Worm
Infection Length: 22,528 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
Virus Definitions (Intelligent Updater) *
January 26, 2004
Virus Definitions (LiveUpdate™) **
January 26, 2004
Damage
Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends to email addresses found in a specified set of files. It ignores email addresses that end in .edu.
Deletes files: n/a
Modifies files: n/a
Degrades performance: Performs DoS against www.sco.com.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Allows unauthorized remote access.
Distribution
Subject of email: Varies
Name of attachment: Varies with an extension of .pif, .scr, .exe, .cmd, .bat, or .zip
Size of attachment: 22,258 bytes
Time stamp of attachment: n/a
Ports: TCP 3127-3198
Shared drives: n/a
Target of infection: n/a
When W32.Novarg.A@mm is executed it does the following:
Creates the following files:
"shimgapi.dll" in %System%
"Message" in %temp%. This file is full of random letters and is displayed via Notepad.
"taskmon.exe" in %System%. If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.
Shimgapi.dll acts as a proxy server. It opens TCP ports in the range of 3127 to 3198 for listening.
Adds the value
TaskMon = %System%\taskmon.exe
to the registry keys
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Can perform a Denial of Service against www.sco.com. Creates 64 threads which send GET requests. The DoS is active between February 1, 2004 and February 12, 2004.
Creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
Searches for email addresses in files with the following extensions. It ignores addresses which end in ".edu".
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
Attempts to send emails by using its own SMTP engine. It performs a lookup of the mail server of the recipient in order to send. If it is unsuccessful it will use the local mail server.
The email will have the following characteristics:
From: may be a spoofed from address
Subject:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment:
document
readme
doc
text
file
data
test
message
body
with one of the following suffixes:
pif
scr
exe
cmd
bat
zip
Copies itself to KaZaA download directory as one of the following files:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with a file extension of
pif
scr
bat
-------------------------------------------------------------------------------
W32.Novarg.A@mm 4
Discovered on: January 26, 2004
Last Updated on: January 26, 2004 06:08:08 PM
W32.Novarg.A@mm is a mass-mailing worm. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip. The worm also contains functionality to perform as a proxy server. It listens on all TCP ports in the range 3127-3198.
The worm will perform a DoS starting on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading.
--------------------------------------------------------------------------------
Note: Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
--------------------------------------------------------------------------------
Also Known As: W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend]
Type: Worm
Infection Length: 22,528 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
Virus Definitions (Intelligent Updater) *
January 26, 2004
Virus Definitions (LiveUpdate™) **
January 26, 2004
Damage
Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends to email addresses found in a specified set of files. It ignores email addresses that end in .edu.
Deletes files: n/a
Modifies files: n/a
Degrades performance: Performs DoS against www.sco.com.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Allows unauthorized remote access.
Distribution
Subject of email: Varies
Name of attachment: Varies with an extension of .pif, .scr, .exe, .cmd, .bat, or .zip
Size of attachment: 22,258 bytes
Time stamp of attachment: n/a
Ports: TCP 3127-3198
Shared drives: n/a
Target of infection: n/a
When W32.Novarg.A@mm is executed it does the following:
Creates the following files:
"shimgapi.dll" in %System%
"Message" in %temp%. This file is full of random letters and is displayed via Notepad.
"taskmon.exe" in %System%. If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.
Shimgapi.dll acts as a proxy server. It opens TCP ports in the range of 3127 to 3198 for listening.
Adds the value
TaskMon = %System%\taskmon.exe
to the registry keys
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Can perform a Denial of Service against www.sco.com. Creates 64 threads which send GET requests. The DoS is active between February 1, 2004 and February 12, 2004.
Creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
Searches for email addresses in files with the following extensions. It ignores addresses which end in ".edu".
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
Attempts to send emails by using its own SMTP engine. It performs a lookup of the mail server of the recipient in order to send. If it is unsuccessful it will use the local mail server.
The email will have the following characteristics:
From: may be a spoofed from address
Subject:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment:
document
readme
doc
text
file
data
test
message
body
with one of the following suffixes:
pif
scr
exe
cmd
bat
zip
Copies itself to KaZaA download directory as one of the following files:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with a file extension of
pif
scr
bat