lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: w.naef at iwar.org.uk (Wanja Eric Naef [IWS])
Subject: PSEPC AL04-001 (W32.Novarg.A@mm (W32/Mydoom@MM))

 
[The OCIPEP Warning about the new worm. WEN]


La version fran?aise suivre


CRITICAL INFRASTRUCTURE PROTECTION AND EMERGENCY PREPAREDNESS

*****************
      ALERT
*****************

Number: AL04-001
Date:   26 January 2004

*****************************
W32.Novarg.A@mm (W32/Mydoom@MM)
*****************************

PURPOSE
The purpose is to bring attention to the W32.Novarg.A@mm worm (also known as
W32/Mydoom@MM) which is spreading rapidly.

ASSESSMENT
W32.Novarg.A@mm is an encrypted mass-mailing worm that arrives as an
attachment with one of the following extensions: .exe, .scr, .zip, .cmd, or
.pif.

This worm spoofs the From: field and contains a  random Subject line.  The
text body that varies.  Some examples of the text body include: 

The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment. 
The message contains Unicode characters and has been sent as a binary
attachment. 
Mail transaction failed. Partial message is available. 

The zip attachment is 22,528 bytes.  

When this file is run it copies itself to the local system with the
following filenames:  c:\Program Files\KaZaA\My Shared
Folder\activation_crack.scr  c:\WINDOWS\SYSTEM\taskmon.exe 

It also uses a DLL that it creates in the Windows System directory:
c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes) 

It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe 

The worm opens a connection on TCP port 3127 which suggests remote access
capabilities.


SUGGESTED ACTION
Anti-virus solutions should be updated to the latest signature files.
E-mail attachment blocking should be used whenever possible.  For more
details please see the following links:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.
R&VSect=T

Note to Readers
Public Safety and Emergency Preparedness Canada (PSEPC) collects information
related to cyber and physical threats to, and incidents involving, Canadian
critical infrastructure. This allows us to monitor and analyse threats and
to issue alerts, advisories and other information products to our partners.
To report threats or incidents, please contact the PSEPC operations
coordination centre at (613) 991-7000 or opscen@...pep-bpiepc.gc.ca by
e-mail. Unauthorized use of computer systems and mischief in relation to
data are serious Criminal Code offences in Canada. Any suspected criminal
activity should be reported to local law enforcement organizations. The RCMP
National Operations Centre (NOC) provides a 24/7 service to receive such
reports or to redirect callers to local law enforcement organizations. The
NOC can be reached at (613) 993-4460. National security concerns should be
reported to the Canadian Security Intelligence Service (CSIS) at (613)
993-9620. For general information on critical infrastructure protection and
emergency preparedness, please contact our Public Affairs division at:
Telephone: (613) 944-4875 or 1-800-830-3118
Fax: (613) 998-9589
E-mail: communications@...pep-bpiepc.gc.ca

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ