Full Disclosure mailing list archives
PSEPC AL04-001 (W32.Novarg.A@mm (W32/Mydoom@MM))
From: "Wanja Eric Naef [IWS]" <w.naef () iwar org uk>
Date: Tue, 27 Jan 2004 01:04:27 -0000
[The OCIPEP Warning about the new worm. WEN] La version française suivre CRITICAL INFRASTRUCTURE PROTECTION AND EMERGENCY PREPAREDNESS ***************** ALERT ***************** Number: AL04-001 Date: 26 January 2004 ***************************** W32.Novarg.A@mm (W32/Mydoom@MM) ***************************** PURPOSE The purpose is to bring attention to the W32.Novarg.A@mm worm (also known as W32/Mydoom@MM) which is spreading rapidly. ASSESSMENT W32.Novarg.A@mm is an encrypted mass-mailing worm that arrives as an attachment with one of the following extensions: .exe, .scr, .zip, .cmd, or .pif. This worm spoofs the From: field and contains a random Subject line. The text body that varies. Some examples of the text body include: The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. The zip attachment is 22,528 bytes. When this file is run it copies itself to the local system with the following filenames: c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr c:\WINDOWS\SYSTEM\taskmon.exe It also uses a DLL that it creates in the Windows System directory: c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes) It creates the following registry entry to hook Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe The worm opens a connection on TCP port 3127 which suggests remote access capabilities. SUGGESTED ACTION Anti-virus solutions should be updated to the latest signature files. E-mail attachment blocking should be used whenever possible. For more details please see the following links: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983 http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a () mm html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL. R&VSect=T Note to Readers Public Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyse threats and to issue alerts, advisories and other information products to our partners. To report threats or incidents, please contact the PSEPC operations coordination centre at (613) 991-7000 or opscen () ocipep-bpiepc gc ca by e-mail. Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620. For general information on critical infrastructure protection and emergency preparedness, please contact our Public Affairs division at: Telephone: (613) 944-4875 or 1-800-830-3118 Fax: (613) 998-9589 E-mail: communications () ocipep-bpiepc gc ca _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PSEPC AL04-001 (W32.Novarg.A@mm (W32/Mydoom@MM)) Wanja Eric Naef [IWS] (Jan 26)