Educause Security Discussion mailing list archives

Re: flurry of email attachments

From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Tue, 27 Jan 2004 09:27:30 -0500

New virus -
Write up from another list

There is a new mass mailing worm reported by Symantec as
W32.Novarg.A, Sophos as W32.MyDoom.A, Mcafee as MyDoom and
TrendMicro as Mimail.R.  Below is the jist of the virus from
all sources.

This worm sends itself as an email from spoofed email
address' TO spoofed email address', so you may either recieve
the virus or recieve bounce backs saying the virus was sent
from you (or BOTH).  It disguises itself as a technical email
with a zip file attached.  Most of the new AV companies have
updated their scanners.

Files:

      Places "shimgapi.dll" in %system%.  This is a backdoor
trojan according to Sophos which allows inbound connections
on port 3127.
      Places "Message" in the users %temp% directory
      Places "taskmon.exe" in %system%
      Copies itself (with file extensions of
either .pif, .scr, or .bat) to the KaZaA download directory
as:
              winamp5
              icq2004-final
              activation_crack
              strip-girl-2.0bdcom_patches
              rootkitXP
              office_crack
              nuke2004



Registry:

      Adds TaskMon    =       %system% to

HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run

                      and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\R
un

      Creates:

KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ex
plorer\ComDlg32\Version

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ex
plorer\ComDlg32\Version

      Injects itself into Explorer.exe with the following
registry entry: HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-
9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%
\shimgapi.dll


Payload:

      Can DoS www.sco.com
      Harvests emails on your system and fakes the sender
and recipients email address.



http://www.sophos.com/virusinfo/analyses/w32mydooma.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.no
varg.a () mm html
http://us.mcafee.com/virusInfo/default.asp?
id=description&virus_k=100983
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM_MIMAIL.R


Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

flurry of email attachments Kevin Shalla (Jan 27)
- <Possible follow-ups>
- Re: flurry of email attachments Younce, Bob (Jan 27)
- Re: flurry of email attachments Dave Mueller (Jan 27)
- Re: flurry of email attachments Younce, Bob (Jan 27)
- Re: flurry of email attachments Jim Bollinger (Jan 27)
- Re: flurry of email attachments Theresa M Rowe (Jan 27)
- Re: flurry of email attachments Schmidt, Eric W (Jan 27)
- Re: flurry of email attachments ROBERT MYLES (Jan 27)
- Re: flurry of email attachments Aaron Wade (Jan 27)
- Re: flurry of email attachments Cathy Hubbs (Jan 27)