copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » AusCERT N... » AL-2004.02 -- Email worm W32/Mydoom@MM (W32.Novarg.A...
 

AL-2004.02 -- Email worm W32/Mydoom@MM (W32.Novarg.A@mm)
Date: 27 January 2004
References: ESB-2004.0074  ESB-2004.0075  ESB-2004.0513  ESB-2004.0555  ESB-2004.0556  ESB-2004.0566  ESB-2004.0579  ESB-2004.0628  AL-2004.032  AL-2004.036  
ESB-2004.0695  ESB-2005.0841  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2004.02 -- AUSCERT ALERT
                Email worm W32/Mydoom@MM (W32.Novarg.A@mm)
                              27 January 2004

Last Revised: 28 January 2004

===========================================================================

AusCERT has become aware of a new mass-mailer worm named W32/Mydoom@MM (also
know as Win32/Shimg and W32.Novarg.A@mm) that is causing disruption to regular
traffic on Australian and international email servers. The worm arrives in
email messages with varying subjects and spoofed From: addresses. The worm can
also spread via the KaZaA P2P file sharing network, but still requires manual
execution of the infected file.

The message body also varies, but has been observed with the following text:

    * The message cannot be represented in 7-bit ASCII encoding and has been 
      sent as a binary attachment.

    * The message contains Unicode characters and has been sent as a binary 
      attachment.

    * Mail transaction failed. Partial message is available.

The payload is delivered as a .exe, .pif, .cmd, .scr file. These files are
often contained in a .zip file. File names may contains a large number of
spaces in an attempt to obfuscate the actual extension.

Upon execution, the worm copies itself to the system's hard drive and adds a
registry key to enable automatic start up at boot time. Additionally, a TCP
port in the range 3127-3199 is opened on the infected computer.

Analysis by anti-virus researchers has found that the worm is programmed to
performed a Denial-of-Service attack on www.sco.com using HTTP GET requests.
This is due to begin on the 1st of February.

The worm is programmed to stop spreading on February 12, 2004.

AusCERT recommends upgrading all anti-virus software to use the latest
definition files as soon as they become available. See the anti-virus vendor
links for removal instructions and tools.

Users should remain aware of the danger of opening unsolicited email
attachments.


REFERENCES:

[1] Protecting your computer from malicious code 
    http://www.auscert.org.au/render.html?it=3352

[2] F-Secure Virus Descriptions
    http://www.f-secure.com/v-descs/novarg.shtml

[3] Symantec Security Response
    http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

[4] Computer Associates
    http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=54593

[5] McAfee Security
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983

[6] Trend Micro
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R

[7] Sophos Virus Analysis
    http://www.sophos.com/virusinfo/analyses/w32mydooma.html
    
- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication. 
However, the decision to follow or act on information or advice contained in 
this security bulletin is the responsibility of each user or organisation, and 
should be considered in accordance with your organisation\'s site policies and 
procedures. AusCERT takes no responsibility for consequences which may arise 
from following or acting on information or advice contained in this security 
bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST).  On call after hours
                for member emergencies only.
  
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQBb5rCh9+71yA2DNAQHH4AP+Je7nCxUZ79gTlr6VwFG+IN0UvFtqoq81
e7Hj/6DGq0MUUPEMVZh/iqw9uycO+tw7fhaUwLdpO/QdNlCCVGU47ZZCKqle3MPN
ytMxrdVgyxChT7nzrhOnhHPUoXKx4xIvsrMR8dWv+edj4/gHuEZ/58e6V3diHLny
wD4C3ee1Rrw=
=GeEu
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=2998&it=3785