W32.Mydoom.A,
W32/Mydoom@MM virus, or MIMAIL.R worm (WORM_MIMAIL.R)
- current information
A
new virus/worm alert was issued on January 26th 2004. The
WORM_MIMAIL.R (W32.MyDoom.A) mass-mailing worm selects
from a list of email subjects, message bodies, and attachment
file names for its email messages. It spoofs the sender
name of its messages so that they appear to have been sent
by different users instead of the actual users on infected
machines. The worm has been distributed as a 22,528-byte,
UPX-packed Win32 executable and may be included
in a ZIP archive.
It
can also propagate through the Kazaa peer-to-peer file-sharing
network.
Aliases: W32/Mydoom.A.worm,
Win32:Mydoom [Wrm], Worm/MyDoom.A2, I-Worm.Win32.Mydoom.22528,
W32.Novarg.A@mm, Win32/Mydoom.A@mm, I-Worm.Novarg, W32/Mydoom.A@mm,
Win32.HLLM.MyDoom.32768, Win32/Shimg
Route
of Infection: This is a mass-mailing worm that
arrives in an email message as follows:
From:
(spoofed)
Subject: (Random)
Body: (Varies, such as)
- The
message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.
- The
message contains Unicode characters and has been sent
as a binary attachment.
- Mail
transaction failed. Partial message is available.Attachment:
(varies [.exe, .pif, .cmd, .scr] - often arrives in
a ZIP archive) (22,528 bytes)
The icon used by the file tries to make it appear as if
the attachment is a text file.
Once
your computer is infected and activated MIMAIL.R (W32.MyDoom.A)
will mail itself to email addresses found on your computer.
The subject line and attachment name are randomly chosen
from an internal list.
It
performs a denial of service (DoS) attack against the software
business site www.sco.com. It attacks the site if the system
date is February 1, 2004 or later. It ceases attacking
the site and running most of its routines on February 12,
2004.
It
also runs a backdoor component, which it drops as the file
SHIMGAPI.DLL. The backdoor component opens port 3127 to
3198 to allow remote users to access and manipulate infected
systems. Note that it allows remote access even after February
12, 2004.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
If
you see a the following files in your c:\windows or winnt
directories;
SHIMGAPI.DLL with
recent creation dates you are definitely infected.
For
more information on manually removing the backdoor DLL
file and terminating the Malware program installed by the
worm << Click
Here >>
Disinfection: Check
out these websites for more detailed disinfection instructions.
Computer
Associates
McAfee
Symantec
General
Virus Removal Steps:
1)download one of the above tools from another uninfected
computer.
2) copy the file onto your computer in the windows directory
3)restart your computer in safe mode
4) run the virus removal program
To
start Windows 2000 in Safe mode:
1. If the computer is running, shut down Windows and then
turn off the power.
2. Wait 30 seconds, and then turn the computer on.
3. When you see the black-and-white Starting Windows bar
at the bottom of the screen, start tapping the F8 key. The
Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most
cases, it is the first item in the list and is selected by
default. (If it is not selected, use the arrow keys to select
it.)
5. Press Enter. The computer will start in Safe mode. This
can take a few minutes.
6. When you are finished with all troubleshooting, close
all programs and restart the computer as you normally would.
PLEASE
NOTE: Recent
outbreaks of computer viruses (actually technically worms)
have been attached within emails that appear to be coming
from someone you know or appear to be undeliverable messages.
Use extra caution when opening the email attachments. Any
email from SlickRock will only contain attachments with
the extensions .rtf ,htm or .pdf. Any files with the extensions .exe,
.bat, .scr , .vbs or .pif appearing to
be from us should be deleted immediately. If ever you are
uncertain about the validity of an email please call us.
|
>> Client
Login
