thick
New Member
this one copies itself to kaaza folderW32.Novarg.A@mm
Discovered on: January 26, 2004
Last Updated on: January 27, 2004 02:04:26 PM
W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.
The worm will perform a DoS starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004.
--------------------------------------------------------------------------------
Note: Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
--------------------------------------------------------------------------------
Also Known As: W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend]
Type: Worm
Infection Length: 22,528 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
Virus Definitions (Intelligent Updater) *
January 26, 2004
Virus Definitions (LiveUpdate(tm)) **
January 26, 2004
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
High
Damage:
Medium
Distribution:
High
Damage
Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends to email addresses found in a specified set of files. It ignores email addresses that end in .edu.
Deletes files: n/a
Modifies files: n/a
Degrades performance: Performs DoS against www.sco.com.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Allows unauthorized remote access.
Distribution
Subject of email: Varies
Name of attachment: Varies with an extension of .pif, .scr, .exe, .cmd, .bat, or .zip
Size of attachment: 22,258 bytes
Time stamp of attachment: n/a
Ports: TCP 3127-3198
Shared drives: n/a
Target of infection: n/a
When W32.Novarg.A@mm is executed it does the following:
Creates the following files:
%System%/shimgapi.dll
%temp%/Message (This file is full of random letters and is displayed using Notepad.)
%System%/taskmon.exe (If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.)
--------------------------------------------------------------------------------
Notes:
taskmon.exe is a legitimate file in Windows 95/98/Me operating systems, stored in the %Windir% folder. (by default, this is C:\Windows or C:\Winnt) Do not delete this file by mistake.
%System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Temp% is a variable. The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows NT/2000), or C:\Document and Settings\<UserName>\Local Settings\Temp (Windows XP).
--------------------------------------------------------------------------------
Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.
Adds the value:
"(Default)" = "%System%\shimgapi.dll"
to the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
so that shimgapi.dll is loaded by EXPLORER.EXE.
Adds the value:
"TaskMon" = "%System%\taskmon.exe"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Attempts to perform a Denial of Service attack against www.sco.com by creating 64 threads that send GET requests and use a direct connection to port 80.
--------------------------------------------------------------------------------
Note: The DoS is active between February 1, 2004 and February 12, 2004.
--------------------------------------------------------------------------------
Creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
Searches for email addresses in files with the following extensions.
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
--------------------------------------------------------------------------------
Note: It ignores addresses which end in .edu.
--------------------------------------------------------------------------------
Attempts to send emails using its own SMTP engine. The worm performs a lookup of the mail server used by the recipient before sending the email. If it is unsuccessful, it will use the local mail server instead.
The email will have the following characteristics:
From: may be a spoofed from address
Subject:
(one of the following)
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message:
(one of the following)
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment:
(one of the following)
document
readme
doc
text
file
data
test
message
body
--------------------------------------------------------------------------------
Notes:
The attachment may have two suffixes. If so, the first suffix will be one of the following:
.htm
.txt
.doc
The worm will always end with one of the following suffixes:
.pif
.scr
.exe
.cmd
.bat
.zip
The icon displayed will look like the following:
unless the worm has .exe or .scr for an extension, in which case the file will use the following icon:
--------------------------------------------------------------------------------
Copies itself to Kazaa download folder as one of the following files:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with a file extension of:
.pif
.scr
.bat
.exe
Discovered on: January 26, 2004
Last Updated on: January 27, 2004 02:04:26 PM
W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.
The worm will perform a DoS starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004.
--------------------------------------------------------------------------------
Note: Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
--------------------------------------------------------------------------------
Also Known As: W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend]
Type: Worm
Infection Length: 22,528 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
Virus Definitions (Intelligent Updater) *
January 26, 2004
Virus Definitions (LiveUpdate(tm)) **
January 26, 2004
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
High
Damage:
Medium
Distribution:
High
Damage
Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends to email addresses found in a specified set of files. It ignores email addresses that end in .edu.
Deletes files: n/a
Modifies files: n/a
Degrades performance: Performs DoS against www.sco.com.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Allows unauthorized remote access.
Distribution
Subject of email: Varies
Name of attachment: Varies with an extension of .pif, .scr, .exe, .cmd, .bat, or .zip
Size of attachment: 22,258 bytes
Time stamp of attachment: n/a
Ports: TCP 3127-3198
Shared drives: n/a
Target of infection: n/a
When W32.Novarg.A@mm is executed it does the following:
Creates the following files:
%System%/shimgapi.dll
%temp%/Message (This file is full of random letters and is displayed using Notepad.)
%System%/taskmon.exe (If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.)
--------------------------------------------------------------------------------
Notes:
taskmon.exe is a legitimate file in Windows 95/98/Me operating systems, stored in the %Windir% folder. (by default, this is C:\Windows or C:\Winnt) Do not delete this file by mistake.
%System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Temp% is a variable. The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows NT/2000), or C:\Document and Settings\<UserName>\Local Settings\Temp (Windows XP).
--------------------------------------------------------------------------------
Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.
Adds the value:
"(Default)" = "%System%\shimgapi.dll"
to the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
so that shimgapi.dll is loaded by EXPLORER.EXE.
Adds the value:
"TaskMon" = "%System%\taskmon.exe"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Attempts to perform a Denial of Service attack against www.sco.com by creating 64 threads that send GET requests and use a direct connection to port 80.
--------------------------------------------------------------------------------
Note: The DoS is active between February 1, 2004 and February 12, 2004.
--------------------------------------------------------------------------------
Creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
Searches for email addresses in files with the following extensions.
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
--------------------------------------------------------------------------------
Note: It ignores addresses which end in .edu.
--------------------------------------------------------------------------------
Attempts to send emails using its own SMTP engine. The worm performs a lookup of the mail server used by the recipient before sending the email. If it is unsuccessful, it will use the local mail server instead.
The email will have the following characteristics:
From: may be a spoofed from address
Subject:
(one of the following)
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message:
(one of the following)
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment:
(one of the following)
document
readme
doc
text
file
data
test
message
body
--------------------------------------------------------------------------------
Notes:
The attachment may have two suffixes. If so, the first suffix will be one of the following:
.htm
.txt
.doc
The worm will always end with one of the following suffixes:
.pif
.scr
.exe
.cmd
.bat
.zip
The icon displayed will look like the following:
unless the worm has .exe or .scr for an extension, in which case the file will use the following icon:
--------------------------------------------------------------------------------
Copies itself to Kazaa download folder as one of the following files:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with a file extension of:
.pif
.scr
.bat
.exe
Its better than those sheep.
