Educause Security Discussion mailing list archives
Re: flurry of email attachments
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Tue, 27 Jan 2004 09:27:30 -0500
New virus - Write up from another list There is a new mass mailing worm reported by Symantec as W32.Novarg.A, Sophos as W32.MyDoom.A, Mcafee as MyDoom and TrendMicro as Mimail.R. Below is the jist of the virus from all sources. This worm sends itself as an email from spoofed email address' TO spoofed email address', so you may either recieve the virus or recieve bounce backs saying the virus was sent from you (or BOTH). It disguises itself as a technical email with a zip file attached. Most of the new AV companies have updated their scanners. Files: Places "shimgapi.dll" in %system%. This is a backdoor trojan according to Sophos which allows inbound connections on port 3127. Places "Message" in the users %temp% directory Places "taskmon.exe" in %system% Copies itself (with file extensions of either .pif, .scr, or .bat) to the KaZaA download directory as: winamp5 icq2004-final activation_crack strip-girl-2.0bdcom_patches rootkitXP office_crack nuke2004 Registry: Adds TaskMon = %system% to HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\R un Creates: KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\Version HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\Version Injects itself into Explorer.exe with the following registry entry: HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF- 9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir% \shimgapi.dll Payload: Can DoS www.sco.com Harvests emails on your system and fakes the sender and recipients email address. http://www.sophos.com/virusinfo/analyses/w32mydooma.html http://securityresponse.symantec.com/avcenter/venc/data/w32.no varg.a () mm html http://us.mcafee.com/virusInfo/default.asp? id=description&virus_k=100983 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM_MIMAIL.R Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- flurry of email attachments Kevin Shalla (Jan 27)
- <Possible follow-ups>
- Re: flurry of email attachments Younce, Bob (Jan 27)
- Re: flurry of email attachments Dave Mueller (Jan 27)
- Re: flurry of email attachments Younce, Bob (Jan 27)
- Re: flurry of email attachments Jim Bollinger (Jan 27)
- Re: flurry of email attachments Theresa M Rowe (Jan 27)
- Re: flurry of email attachments Schmidt, Eric W (Jan 27)
- Re: flurry of email attachments ROBERT MYLES (Jan 27)
- Re: flurry of email attachments Aaron Wade (Jan 27)
- Re: flurry of email attachments Cathy Hubbs (Jan 27)