Nuevas variantes del MYDOOM controladas con ELIMYDOA v 1,9

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

Nuevas variantes del MYDOOM controladas con ELIMYDOA v 1,9

Mensaje por msc hotline sat » 20 Jul 2004, 17:01

La nueva variante N del MyDoom controlada por los actuales DATS de McAfee 4379 de hoy, se controla y elimina con nuestra utilidad ELIMYDOA v 1.9 subida ya a esta web





---v1.9--- (20 de Julio del 2004) (para el MyDoom.N)







Su descripcion, segun McAfee es la siguiente:

__________________________________________



Virus Name Risk Assessment

W32/Mydoom.n@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 07/19/2004

Origin: Unknown

Length: Approx. 21KB

Type: Virus

SubType: E-mail worm

Minimum DAT: 4379 (07/19/2004)

Updated DAT: 4379 (07/19/2004)

Minimum Engine: 4.3.20

Description Added: 07/19/2004

Description Modified: 07/20/2004 2:33 AM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

This is a mass-mailing and share-hopping worm that bears the following characteristics:





contains its own SMTP engine to construct outgoing messages

contains ability to copy itself to mapped drives

Opens a backdoor on TCP port 1042







Top of Page



Symptoms

When this file is run (manually), it copies itself to the WINDOWS directory as LSASS.EXE





Note: %WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).

It creates the following registry entry to hook Windows startup:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "Traybar" %WinDir% \LSASS.EXE



Remote Access Component



The worm listens on TCP port 1042 on the infected machine. This allows a hacker to send commands remotely to the infected system.



Top of Page



Method Of Infection

Mail Propogation



The virus arrives in an email message as follows:



From: (Spoofed email sender):



Postmaster

Mail Administrator

Automatic Email Delivery Software

Post Office

The Post Office

Bounced mail

Returned mail

MAILER-DAEMON

Mail Delivery Subsystem



Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case



Subject: (Varies, such as)



click me baby, one more time

say helo to my litl friend

hello

hi

error

status

test

report

delivery failed

Message could not be delivered

Mail System Error - Returned Mail

Delivery reports about your e-mail

Returned mail: see transcript for details

Returned mail: Data format error







Body: (Can contain some or all of the following)



The original message was received at %Date and Time % from %From_Address%



----- The following addresses had permanent fatal errors ----- %To_Address%



----- Transcript of session follows -----

while talking to %To_Address%.:

>>> MAIL From:%From_Adress%

<<< 501 %From_Address%... Refused



This Message was undeliverable due to the following reason:

Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura-tion parameters.





Most likely there is a network problem that prevented delivery, but

it is also possible that the computer is turned off, or does not

have a mail system running right now.



Your message was not delivered within %Random_Number% days:

Host %Random_ IP_Address% is not responding.



The following recipients did not receive this message:





Please reply to PostMaster@%Domain_of_To_Address%

if you feel this message to be in error.







Attachment: (Extension Varies [.cmd, .bat, .pif, .com, .scr, .exe, zip]



readme

transcript

mail

letter

file

text

attachment

document

message

%random characters%



Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:



sales

james

john

spam

abus

master

sample

The worm avoids certain address, those using the following strings:



accoun

privacycertific

bug

listserv

submit

ntivi

suppor

crosoft

admi

page

the.bat

gold-certs

ca

feste

not

help

service

no

soft

contact

site

rating

me

you

your

someone

anyone

nothing

nobody

noone

info

root

winzip

rarsoft

sf.net

sourceforge

ripe.

arin.

google

gnu.

gmail

seclist

secur

math

labs

bar.

foo.

.mil

gov.

.gov

update

uslis

domain

example

ophos

spersk

panda

hotmail

msn.

microsoft

sarc.

syma

avp



Propagation via Shared folders





This worm drops copies of itself in folders that contain the following strings



shar

incoming

ftproot

download

The folloiwng filenames are used when copying itself to the folders mentioned above.



index

Kazaa Lite

Harry Potter

ICQ 4 Lite

WinRAR.v.3.2.and.key

Winamp 5.0 (en) Crack

Winamp 5.0 (en)

ShareReactor

The extension of the filename can be .scr, .com, or .exe.



__________________________________________



AParte de esta nueva variante, vsantivirus anuncia ima mieva variante O, todavía no controlada por dicha version de DATS y de la cual no tenemos muestra, que ya será detectada por nuestra utilidad, si bien se pedirá el envio de muestras, por no ser ficheros aleatorios y necesitar confirmar que correspondan realmente a dicho virus, tras lo cual poder hacer la utilidad de eliminacion precisa.:



http://www.vsantivirus.com/mydoom-o.htm



UTILIDAD DE CONTROL/ELIMINACION:



https://foros.zonavirus.com/viewtopic.php?p=67#67



saludos



ms, 20-07-2004









::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”