Security Alerts
Unit 4 Agresso issues MyDoom alert
27-01-2004
by Ralph Averbuch
Unit 4 Agresso has issued a 'high alert' for the W32/MyDoom-A worm. This mass-mailing worm spreads itself by collecting e-mail addresses from the local hard disk and uses randomly-chosen addresses for both the "to" and "from" fields.
W32/MyDoom-A is similar to both the Melissa and Loveletter worms that previously hit the world headlines. The new worm can spread rapidly, with the potential to cross the planet in a matter of hours. According to Unit 4 Agresso it is equally dangerous for both corporate and home users.
Description:
Due to the fact that it uses randomly-chosen addresses for the "to" and "from" fields, the "from" address is spoofed, and doesn't reveal where the e-mail really came from.
The "Subject" field is also randomly generated, though subject fields have included 'error', 'hello', 'hi', 'mail delivery system', 'mail transaction failed', 'server report', 'status', 'test', or just a random collection of characters.
Meanwhile, the body of the message appears mostly as a garbage series of random characters.
The attachment icon also attempts to make it look as though it is just a text attachment. The attachment uses random names and extensions, though it often arrives in a ZIP archive. Names that have so far appeared have included 'data.zip', 'doc.pif', 'body.pif', 'document.zip', 'message.zip', 'readme.zip', 'test.zip', 'hello.cmd', 'data.txt.exe', 'file.scr'.
Symptoms
There are two ways of knowing if you have been infected. Firstly, upon executing, the virus opens Notepad on your computer, and fills it with random garbage characters.
Secondly, when the file is run it copies itself to the local system under the following filenames:
c:|Program Files|KaZaA|My Shared Folder|activation_crack.scr
%SysDir% | taskmon.exe
It also creates a Dynamic Link Library (DLL) in the Windows System directory:
%SysDir% | shimgapi.dll
The following registry entry is used to hook Windows start-up:
HKEY_LOCAL_MACHINE|Software|Microsoft|Windows|
CurrentVersion|Run "TaskMon" = %SysDir% | taskmon.exe
It also opens a connection on TCP port 3127 suggesting remote access potential.
Recommended Action
Unit 4 advises that any antivirus software in use should be immediately updated. Organisations' security policies should also be reviewed in order to proactively guard against potential future attacks, rather than reacting to new threats and infections after they arise.
In the unlikely event that you have no antivirus software, you can log-on to the Security HQ at www.networkassociates.com and download the appropriate stinger for free.
|
Caped Koala Studios has built a virtual world for kids, combining education and social networking 