NUEVA VARIANTE DEL VIRUS MYDOOM.K (ELIMINACION YA CONTROLADA

Cerrado
Avatar de Usuario
msc hotline sat
Administrador
Administrador
Mensajes: 93652
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVA VARIANTE DEL VIRUS MYDOOM.K (ELIMINACION YA CONTROLADA

Mensaje por msc hotline sat » 19 May 2004, 17:48

Una nueva variante del MyDoom (K) ha sido conttrolada por McAfee, si bien heuristicamente, y con los DARS 4362 de esta noche, pasará a estar controlado básicamente.



Con la utilidad ELIMYDOA.EXE v 1,7 ya controla u elimina esta nueva variante:



__________________________________________



ELIMYDOA.EXE v 1,7:

----v1.7--- (19 de Mayo del 2004) (para el MyDoom.K)



https://foros.zonavirus.com/viewtopic.php?p=67#67



Descripcion de McAfee:

__________________________________________





Virus Name Risk Assessment

W32/Mydoom.k@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 05/18/2004

Origin: Unknown

Length: 50,176 bytes (UPXed EXE)

4,608 bytes (UPXed DLL)

Type: Virus

SubType: E-mail

Minimum DAT: 4360 (05/12/2004)

Updated DAT: 4362 (05/19/2004)

Minimum Engine: 4.2.40

Description Added: 05/18/2004

Description Modified: 05/18/2004 6:35 PM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

At the time of writing, AVERT has not received a sample of this virus from the field.







--------------------------------------------------------------------------------





Proactive Detection

This threat is detected as W32/Mydoom.gen@MM by McAfee products running the 4360 DATs (release date May 12th 2004), with the scanning of compressed files enabled.



Prior to this, with program heuristics enabled the threat is caught as virus or variant New Malware.b since the 4328 DATs (with scanning of compressed files also enabled).



The DLL that this variant drops is detected as virus or variant W32/Mydoom since the 4320 DATs.







--------------------------------------------------------------------------------





This variant bears similar characteristics to previous variants:



contains its own SMTP engine for constructing messages

email addresses are harvested from the victim machine

spoofs the From: address (using both harvested email addresses, and a list of forenames it carries)

the worm specifically avoids emailing itself to certain email addresses (those containing one of many strings it carries)

contains a backdoor component (via dropped DLL)



Top of Page



Symptoms

When executed, the worm opens NOTEPAD.EXE on the victim machine, displaying a document of garbage characters.

Existence of the files and Registry keys described below.

Installation



When this file is run (manually), it copies itself to the Windows System directory as RUNDLL6.EXE , for example:



%SysDir%\RUNDLL6.EXE

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)





It creates the following registry entry to hook Windows startup:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "rundll" = %SysDir%\rundll6.exe

The virus uses a DLL that it drops in the Windows System directory:



%SysDir%\shimgapi.dll (4,608 bytes)

This DLL is injected into the EXPLORER.EXE process upon reboot via this registry key:



HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-

9C87-00AA005127ED}\InProcServer32

"(Default)" = %SysDir%\shimgapi.dll

(This key is likely to have originally been equal to %SystemRoot%\System32\webcheck.dll.)



Top of Page



Method Of Infection

Mail Propagation



This worm spreads via email, mass-mailing itself to recipient email addresses harvested from the victim machine (and to addresses constructed from harvested addresses and strings it carries).



Interestingly, harvested and constructed email addresses are sent (via HTTP GET request) to a remote web server. The intention of this is presumably to acquire a large pool of email addresses for subsequent use.



The worm may mail itself as an executable or within a ZIP archive (archive is not password protected). The filenames chosen vary according to strings carried within the worm, and they may consist of random characters.



Messages are constructed with varying subjects and message bodies. The message body may consist of garbage characters



Remote Access Component



The dropped DLL component serves as a remote access component, listening on port 3127 (TCP). Via this backdoor, the worm can accept specially crafted TCP transmissions.



On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it. Then the temporary file is deleted.

On receipt of another kind it can relay TCP packets thus providing IP spoofing capabilities (possibly to facilitate SPAM distribution



__________________________________________



saludos



ms, 19-05-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”