PSEPC AL04-001 (W32.Novarg.A@mm (W32/Mydoom@MM))

["Wanja Eric Naef [IWS]" <w.naef () iwar org uk>]

[The OCIPEP Warning about the new worm. WEN]


La version française suivre


CRITICAL INFRASTRUCTURE PROTECTION AND EMERGENCY PREPAREDNESS

*****************
      ALERT
*****************

Number: AL04-001
Date:   26 January 2004

*****************************
W32.Novarg.A@mm (W32/Mydoom@MM)
*****************************

PURPOSE
The purpose is to bring attention to the W32.Novarg.A@mm worm (also known as
W32/Mydoom@MM) which is spreading rapidly.

ASSESSMENT
W32.Novarg.A@mm is an encrypted mass-mailing worm that arrives as an
attachment with one of the following extensions: .exe, .scr, .zip, .cmd, or
.pif.

This worm spoofs the From: field and contains a  random Subject line.  The
text body that varies.  Some examples of the text body include: 

The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment. 
The message contains Unicode characters and has been sent as a binary
attachment. 
Mail transaction failed. Partial message is available. 

The zip attachment is 22,528 bytes.  

When this file is run it copies itself to the local system with the
following filenames:  c:\Program Files\KaZaA\My Shared
Folder\activation_crack.scr  c:\WINDOWS\SYSTEM\taskmon.exe 

It also uses a DLL that it creates in the Windows System directory:
c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes) 

It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe 

The worm opens a connection on TCP port 3127 which suggests remote access
capabilities.


SUGGESTED ACTION
Anti-virus solutions should be updated to the latest signature files.
E-mail attachment blocking should be used whenever possible.  For more
details please see the following links:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a () mm html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.
R&VSect=T

Note to Readers
Public Safety and Emergency Preparedness Canada (PSEPC) collects information
related to cyber and physical threats to, and incidents involving, Canadian
critical infrastructure. This allows us to monitor and analyse threats and
to issue alerts, advisories and other information products to our partners.
To report threats or incidents, please contact the PSEPC operations
coordination centre at (613) 991-7000 or opscen () ocipep-bpiepc gc ca by
e-mail. Unauthorized use of computer systems and mischief in relation to
data are serious Criminal Code offences in Canada. Any suspected criminal
activity should be reported to local law enforcement organizations. The RCMP
National Operations Centre (NOC) provides a 24/7 service to receive such
reports or to redirect callers to local law enforcement organizations. The
NOC can be reached at (613) 993-4460. National security concerns should be
reported to the Canadian Security Intelligence Service (CSIS) at (613)
993-9620. For general information on critical infrastructure protection and
emergency preparedness, please contact our Public Affairs division at:
Telephone: (613) 944-4875 or 1-800-830-3118
Fax: (613) 998-9589
E-mail: communications () ocipep-bpiepc gc ca


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html