Con la utilidad ELIMYDOA.EXE v 1,7 ya controla u elimina esta nueva variante:
__________________________________________
ELIMYDOA.EXE v 1,7:
----v1.7--- (19 de Mayo del 2004) (para el MyDoom.K)
Descripcion de McAfee:
__________________________________________
Virus Name Risk Assessment
W32/Mydoom.k@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 05/18/2004
Origin: Unknown
Length: 50,176 bytes (UPXed EXE)
4,608 bytes (UPXed DLL)
Type: Virus
SubType: E-mail
Minimum DAT: 4360 (05/12/2004)
Updated DAT: 4362 (05/19/2004)
Minimum Engine: 4.2.40
Description Added: 05/18/2004
Description Modified: 05/18/2004 6:35 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
At the time of writing, AVERT has not received a sample of this virus from the field.
--------------------------------------------------------------------------------
Proactive Detection
This threat is detected as W32/Mydoom.gen@MM by McAfee products running the 4360 DATs (release date May 12th 2004), with the scanning of compressed files enabled.
Prior to this, with program heuristics enabled the threat is caught as virus or variant New Malware.b since the 4328 DATs (with scanning of compressed files also enabled).
The DLL that this variant drops is detected as virus or variant W32/Mydoom since the 4320 DATs.
--------------------------------------------------------------------------------
This variant bears similar characteristics to previous variants:
contains its own SMTP engine for constructing messages
email addresses are harvested from the victim machine
spoofs the From: address (using both harvested email addresses, and a list of forenames it carries)
the worm specifically avoids emailing itself to certain email addresses (those containing one of many strings it carries)
contains a backdoor component (via dropped DLL)
Top of Page
Symptoms
When executed, the worm opens NOTEPAD.EXE on the victim machine, displaying a document of garbage characters.
Existence of the files and Registry keys described below.
Installation
When this file is run (manually), it copies itself to the Windows System directory as RUNDLL6.EXE , for example:
%SysDir%\RUNDLL6.EXE
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "rundll" = %SysDir%\rundll6.exe
The virus uses a DLL that it drops in the Windows System directory:
%SysDir%\shimgapi.dll (4,608 bytes)
This DLL is injected into the EXPLORER.EXE process upon reboot via this registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-
9C87-00AA005127ED}\InProcServer32
"(Default)" = %SysDir%\shimgapi.dll
(This key is likely to have originally been equal to %SystemRoot%\System32\webcheck.dll.)
Top of Page
Method Of Infection
Mail Propagation
This worm spreads via email, mass-mailing itself to recipient email addresses harvested from the victim machine (and to addresses constructed from harvested addresses and strings it carries).
Interestingly, harvested and constructed email addresses are sent (via HTTP GET request) to a remote web server. The intention of this is presumably to acquire a large pool of email addresses for subsequent use.
The worm may mail itself as an executable or within a ZIP archive (archive is not password protected). The filenames chosen vary according to strings carried within the worm, and they may consist of random characters.
Messages are constructed with varying subjects and message bodies. The message body may consist of garbage characters
Remote Access Component
The dropped DLL component serves as a remote access component, listening on port 3127 (TCP). Via this backdoor, the worm can accept specially crafted TCP transmissions.
On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it. Then the temporary file is deleted.
On receipt of another kind it can relay TCP packets thus providing IP spoofing capabilities (possibly to facilitate SPAM distribution
__________________________________________
saludos
ms, 19-05-2004
msc hotline sat Virus Research Engineer