AVERT says it’s receiving a very large number of samples from corporate and home users alike, said Jack Sebbag, Canadian General Manager and Vice President of Network Associates. Thats why its been raised from medium to high. The infection is spreading at a very rapid rate.
Mydoom is a mass mailer. Despite the ominous name, it wont delete files. And it requires you to click proactively on the attachment, which isnt even disguised in a particularly cunning fashion. But Sebbag noted that there always seem to be people with too much time on their hands who manage to trigger the virus.
There doesnt seem to be a clear pattern in the subject lines or text, It arrives in an email message as follows:
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment: (varies [.exe, .pif, .cmd, .scr]. It often arrives in a ZIP archive. The icon used by the file tries to make it appear as if the attachment is a text file. The one thing that is constant, Sebbag said, is its size, 22,528 bytes.
When this file is run it copies itself to the local system with the following filenames:
c:Program FilesKaZaAMy Shared Folderactivation_crack.scr
It also uses a DLL that it creates in the Windows System directory:
c:WINDOWSSYSTEMshimgapi.dll (4,096 bytes)
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows_ CurrentVersionRun “TaskMon” = %SysDir%taskmon.exe
The worm opens a connection on TCP port 3127, suggesting remote access capabilities.
It may have keystroke logging attached to it to let someone take over your OS, Sebbag said. It does have that capability.”
Upon executing the virus, Notepad is opened, filled with nonsense characters. The file will try to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.
Printable Version | Email This Article To A Friend | Feedback | Contact Us
© Copyright 2004 Integratedmar.com Corporation