Interface Design Mailingliste: Antwort: [Interface] Nzkwwxzodccdjon
Autor: Julie.Woletz_at_orgaplan.de
Datum: Mit 28 Jan 2004 - 11:49:03 CET
Hallo,
ihr habt heute diese Mail per Newsletter verteilt.
Schon von diesem Virus gehört? Sieht verdächtig danach aus. Vielleicht
prüft ihr das bei euch auch noch mal.
Falls das nur falscher Alarm war, wäre eine kurze Info sehr nett, dass ich
den Anhang doch öffnen kann.
Grüße
Julie Woletz
julie.woletz_at_orgaplan.de
--------------------------------------Virusinfo------------------------------------------------------
Virus Name
Risk Assessment
W32/Mydoom_at_MM
Corporate User
:
High-Outbreak
Home User
:
High-Outbreak
Virus Information
Discovery Date:
01/26/2004
Origin:
Unknown
Length:
22,528 bytes
Type:
Virus
SubType:
E-mail
Minimum DAT:
Release Date:
4319
01/26/2004
Minimum Engine:
4.2.40
Description Added:
01/26/2004
Description Modified:
01/26/2004 9:48 PM (PT)
Virus Characteristics:
This is a mass-mailing and peer-to-peer file-sharing worm that arrives in
an email message as follows:
From: (spoofed email sender)
Subject: (Varies, such as)
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)
(22,528 bytes)
examples (common names, but can be random)
doc.bat
document.zip
message.zip
readme.zip
text.pif
hello.cmd
body.scr
test.htm.pif
data.txt.exe
file.scr
The icon used by the file tries to make it appear as if the attachment is
a text file:
When this file is run, it copies itself to the WINDOWS SYSTEM directory as
taskmon.exe
%SysDir%\taskmon.exe
(Where %Sysdir% is the Windows System directory, for example
C:\WINDOWS\SYSTEM)
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
The virus uses a DLL that it creates in the Windows System directory:
%SysDir%\shimgapi.dll (4,096 bytes)
This DLL is injected into the EXPLORER.EXE upon reboot via this registry
key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
"(Default)" = %SysDir%\shimgapi.dll
Peer To Peer Propagation
The worm copies itself to the KaZaa Shared Directory with the following
filenames:
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp
Remote Access Component
The worm opens a connection on TCP port 3127 suggesting remote access
capabilities.
Denial of Service Payload
On the first system startup on February 1st or later, the worm changes its
behavior from mass mailing to initiating a denial of service attack
against the sco.com domain. This denial of service attack will stop on the
first system startup of February 12th or later, and thereafter the worm's
only behavior is to continue listening on TCP port 3127.
Symptoms
Upon executing the virus, Notepad is opened, filled with nonsense
characters.
Existence of the files and registry entry listed above
Method Of Infection
This file tries to spread via email and by copying itself to the shared
directory for Kazaa clients if they are present.
The mailing component harvests address from the local system. Files with
the following extensions are targeted:
wab
adb
tbb
dbx
asp
php
sht
htm
txt
Additionally, the worm contains strings, which it uses to randomly
generate, or guess, addresses.
Harvested addresses are sent the virus via SMTP. The worm guesses at the
recipient email server, prepending the target domain name with the
following strings:
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.
-----------------------------------------------------------------Virusinfo
Ende----------------------------------------------------------------
____________________________________________________________________________
Archiv: http://kisd.de/~marian/interface/
|