Cảnh báo VIRUS !

Thông tin về Virus:

Tên Virus: W32/Mydoom@MM
Các tên khác:
Novarg (F-Secure)
W32.Novarg.A@mm (Symantec)
Win32.Mydoom.A (CA)
Win32/Shimg (CA)
WORM_MIMAIL.R (Trend)

Mức độ nguy hiểm: Rất nguy hiểm - Phá hoại
Ngày phát hiện đầu tiên: 01/26/2004
Độ dài của virus: 22,528 bytes
Lây lan qua: E-mail

Virus Characteristics:
This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics:

contains its own SMTP engine to construct outgoing messages
contains a backdoor component (see below)
contains a Denial of Service payload

<b>Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.</b>

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

examples (common names, but can be random)
doc.bat
document.zip
message.zip
readme.zip
text.pif
hello.cmd
body.scr
test.htm.pif
data.txt.exe
file.scr
In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif
The icon used by the file tries to make it appear as if the attachment is a text file:




When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as taskmon.exe

%SysDir%\taskmon.exe
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)


It creates the following registry entry to hook Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
The virus uses a DLL that it creates in the Windows System directory:

%SysDir%\shimgapi.dll (4,096 bytes)
This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll
The virus will not replicate on the 12th February or later (although the DLL will still be installed).

Peer To Peer Propagation
The worm copies itself to the KaZaa Shared Directory with the following filenames:

nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp

Đọc thêm thông tin ở đây:
http://vil.nai.com/vil/content/v_100983.htm

Công cụ diệt Virus này:
http://vil.nai.com/vil/stinger/