Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

FW: New Email Worm threat - a.k.a. Mydoom, Novarg, Shimg

From: "Gary Hewitt" <ghewitt () scan-america com>
Date: Wed, 28 Jan 2004 12:49:57 -0600
Shawn - 

At the risk of sending info you already have - here is a URL with details on
the Mydoom worm and its variants.
http://www.lavasoftsupport.com/index.php?showtopic=18480&st=0
 
I just sent the HTML version of this to my users.  It is from one of the
anti-spyware vendors.  I changed it to text-only for this list but the HTML
form is much easier to read.

Note especially the various Subject lines below and the file-type of
attachments, so you can recognize them.

Gary M Hewitt
Scan America
Brookfield, WI
ghewitt () scan-america com
============================================================================
=============  

Win32.MMail.A continues its spread across the internet. Here's some further
information.

Discovered January 26, 2004 at 6:06PM EST
Detected January 26, 2004 at 7:49PM EST
Added to referencefile 252 (01R252 27.01.2004)

Also Known As: W32.Novarg.A@mm, W32.Mydoom@MM, W32.Shimg, WORM_MIMAIL.R

Worm emails itself to data-mined email addresses. The recipient will receive
an email with various Subjects, including: 
Hi 
Hello 
Error 
MAIL DELIVERY SYSTEM 
Mail Transaction Failed 
Returned Mail: Response Error 
Server Report 
Test
An attachment (the worm) is included using the file extension .exe, .pif,
.zip, and .scr. Filenames include body, document, file, message, test, and
text.

Upon execution, it will drop taskmon.exe and shimgapi.dll in the %system%
folder, and set taskmon.exe to autostart in the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run subkey.

If you receive this email, do not open it. Immediately delete the email,
download the latest referencefile (01R252 27.01.2004 at the time of this
writing) and perform a full system scan as shown by the settings here:

Lavasoft Help & Support
How To: Perform a "Full Scan" with Ad-aware
http://www.lavahelp.com/howto/fullscan/



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: