yet another virus

[thick]

this one copies itself to kaaza folderW32.Novarg.A@mm
Discovered on: January 26, 2004
Last Updated on: January 27, 2004 02:04:26 PM

W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.
The worm will perform a DoS starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004.




--------------------------------------------------------------------------------
Note: Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
--------------------------------------------------------------------------------


Also Known As: W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend]

Type: Worm
Infection Length: 22,528 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x






Virus Definitions (Intelligent Updater) *
January 26, 2004


Virus Definitions (LiveUpdate(tm)) **
January 26, 2004


*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.







Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Moderate
Threat Metrics


Wild:
High
Damage:
Medium
Distribution:
High



Damage

Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends to email addresses found in a specified set of files. It ignores email addresses that end in .edu.
Deletes files: n/a
Modifies files: n/a
Degrades performance: Performs DoS against www.sco.com.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Allows unauthorized remote access.
Distribution

Subject of email: Varies
Name of attachment: Varies with an extension of .pif, .scr, .exe, .cmd, .bat, or .zip
Size of attachment: 22,258 bytes
Time stamp of attachment: n/a
Ports: TCP 3127-3198
Shared drives: n/a
Target of infection: n/a


When W32.Novarg.A@mm is executed it does the following:


Creates the following files:

%System%/shimgapi.dll
%temp%/Message (This file is full of random letters and is displayed using Notepad.)
%System%/taskmon.exe (If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.)


--------------------------------------------------------------------------------
Notes:
taskmon.exe is a legitimate file in Windows 95/98/Me operating systems, stored in the %Windir% folder. (by default, this is C:\Windows or C:\Winnt) Do not delete this file by mistake.
%System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Temp% is a variable. The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows NT/2000), or C:\Document and Settings\<UserName>\Local Settings\Temp (Windows XP).
--------------------------------------------------------------------------------


Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.


Adds the value:

"(Default)" = "%System%\shimgapi.dll"

to the registry key:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

so that shimgapi.dll is loaded by EXPLORER.EXE.


Adds the value:

"TaskMon" = "%System%\taskmon.exe"

to the registry keys:

HKEY_CURRENT_USER\Software\Microsft\Windows\Curren tVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run


Attempts to perform a Denial of Service attack against www.sco.com by creating 64 threads that send GET requests and use a direct connection to port 80.


--------------------------------------------------------------------------------
Note: The DoS is active between February 1, 2004 and February 12, 2004.
--------------------------------------------------------------------------------


Creates the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Explorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Explorer\ComDlg32\Version


Searches for email addresses in files with the following extensions.

.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt

--------------------------------------------------------------------------------
Note: It ignores addresses which end in .edu.
--------------------------------------------------------------------------------


Attempts to send emails using its own SMTP engine. The worm performs a lookup of the mail server used by the recipient before sending the email. If it is unsuccessful, it will use the local mail server instead.


The email will have the following characteristics:

From: may be a spoofed from address

Subject:
(one of the following)
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message:
(one of the following)
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attachment:
(one of the following)
document
readme
doc
text
file
data
test
message
body


--------------------------------------------------------------------------------
Notes:
The attachment may have two suffixes. If so, the first suffix will be one of the following:
.htm
.txt
.doc

The worm will always end with one of the following suffixes:
.pif
.scr
.exe
.cmd
.bat
.zip

The icon displayed will look like the following:



unless the worm has .exe or .scr for an extension, in which case the file will use the following icon:


--------------------------------------------------------------------------------


Copies itself to Kazaa download folder as one of the following files:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with a file extension of:

.pif
.scr
.bat
.exe

[Bob Smith]

The last one was like syphillis, is this one closer to the The Clap? I heard that can really mess up your system files, particularly the output ports.

[thick]

didnt know you talked chinese. english is my only language

[Lestat]

I got somthing in my hush acct last night that I mistook for somone else and it put a file(sais its a screen saver and I cannot delete it. It is the same size file as what you said. What to do? I'm not too good with computers. I tried to make a spread sheet last week and it was a disaster. What does all that info mean from Thick?

[thick]

I dont know wtf any of that means. My ex just happens to work in a big company and she forwards these warnings to me. She still wants my cock

[Lestat]

Its better than those sheep.

[Bob Smith]

Quote:

Originally Posted by Lestat

Its better than those sheep.

Sheep dont talk baaaack.

[vegas]

To all MESO Bro's: Take a look at this link if you want to learn more about this specic worm and what to do if you get it. ........Vegas

http://www.f-secure.com/v-descs/novarg.shtml

[vegas]

Here is a good link to test your systems port vulnerability and what to do to protect yourself....Vegasere is another good link to test your systems port vulnerability and what you can do to protect yourself.......Vegas

https://grc.com/x/ne.dll?bh0bkyd2

[Grizzly]

God, I'm glad I'm not a computer geek with nothing better to do than create programs with no function other than destruction. I guess that's what 25 years of never getting laid does to a guy.

[Lestat]

Thanks Vegas

[thick]

vegas is definitely the man. he is putting up a hell of an argument to bump phreezers ass out of the cpu guru chair

Quote:

Originally Posted by Lestat

Thanks Vegas