---v1.9--- (20 de Julio del 2004) (para el MyDoom.N)
Su descripcion, segun McAfee es la siguiente:
__________________________________________
Virus Name Risk Assessment
W32/Mydoom.n@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 07/19/2004
Origin: Unknown
Length: Approx. 21KB
Type: Virus
SubType: E-mail worm
Minimum DAT: 4379 (07/19/2004)
Updated DAT: 4379 (07/19/2004)
Minimum Engine: 4.3.20
Description Added: 07/19/2004
Description Modified: 07/20/2004 2:33 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This is a mass-mailing and share-hopping worm that bears the following characteristics:
contains its own SMTP engine to construct outgoing messages
contains ability to copy itself to mapped drives
Opens a backdoor on TCP port 1042
Top of Page
Symptoms
When this file is run (manually), it copies itself to the WINDOWS directory as LSASS.EXE
Note: %WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Traybar" %WinDir% \LSASS.EXE
Remote Access Component
The worm listens on TCP port 1042 on the infected machine. This allows a hacker to send commands remotely to the infected system.
Top of Page
Method Of Infection
Mail Propogation
The virus arrives in an email message as follows:
From: (Spoofed email sender):
Postmaster
Mail Administrator
Automatic Email Delivery Software
Post Office
The Post Office
Bounced mail
Returned mail
MAILER-DAEMON
Mail Delivery Subsystem
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case
Subject: (Varies, such as)
click me baby, one more time
say helo to my litl friend
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
Body: (Can contain some or all of the following)
The original message was received at %Date and Time % from %From_Address%
----- The following addresses had permanent fatal errors ----- %To_Address%
----- Transcript of session follows -----
while talking to %To_Address%.:
>>> MAIL From:%From_Adress%
<<< 501 %From_Address%... Refused
This Message was undeliverable due to the following reason:
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura-tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within %Random_Number% days:
Host %Random_ IP_Address% is not responding.
The following recipients did not receive this message:
Please reply to PostMaster@%Domain_of_To_Address%
if you feel this message to be in error.
Attachment: (Extension Varies [.cmd, .bat, .pif, .com, .scr, .exe, zip]
readme
transcript
letter
file
text
attachment
document
message
%random characters%
Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:
sales
james
john
spam
abus
master
sample
The worm avoids certain address, those using the following strings:
accoun
privacycertific
bug
listserv
submit
ntivi
suppor
crosoft
admi
page
the.bat
gold-certs
ca
feste
not
help
service
no
soft
contact
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
root
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
gnu.
gmail
seclist
secur
math
labs
bar.
foo.
.mil
gov.
.gov
update
uslis
domain
example
ophos
spersk
panda
hotmail
msn.
microsoft
sarc.
syma
avp
Propagation via Shared folders
This worm drops copies of itself in folders that contain the following strings
shar
incoming
ftproot
download
The folloiwng filenames are used when copying itself to the folders mentioned above.
index
Kazaa Lite
Harry Potter
ICQ 4 Lite
WinRAR.v.3.2.and.key
Winamp 5.0 (en) Crack
Winamp 5.0 (en)
ShareReactor
The extension of the filename can be .scr, .com, or .exe.
__________________________________________
AParte de esta nueva variante, vsantivirus anuncia ima mieva variante O, todavía no controlada por dicha version de DATS y de la cual no tenemos muestra, que ya será detectada por nuestra utilidad, si bien se pedirá el envio de muestras, por no ser ficheros aleatorios y necesitar confirmar que correspondan realmente a dicho virus, tras lo cual poder hacer la utilidad de eliminacion precisa.:
UTILIDAD DE CONTROL/ELIMINACION:
saludos
ms, 20-07-2004
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::