There is a very bad worm out and the Mail Server and Most antivirus
packages are scrambling to get new updates out.
So for the moment do not open any emails with attachments, until you
have check your virus software and made sure that it has the latest
update which includes the following:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Aliases
Novarg (F-Secure), [EMAIL PROTECTED] (Symantec), Win32.Mydoom.A (CA),
Win32/Shimg (CA), WORM_MIMAIL.R (Trend)
This is a mass-mailing worm that arrives in an email message as follows:
From: (spoofed)
Subject: (Random)
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP
archive) (22,528 bytes)
The icon used by the file tries to make it appear as if the attachment
is a text file
When this file is run it copies itself to the local system with the
following filenames:
c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
%SysDir%\taskmon.exe
(Where %Sysdir% is the Windows System directory, for example
C:\WINDOWS\SYSTEM)
It also uses a DLL that it creates in the Windows System directory:
%SysDir%\shimgapi.dll (4,096 bytes)
This DLL is injected into the EXPLORER.EXE upon reboot via this registry
key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcSer
ver32 "(Default)" = %SysDir%\shimgapi.dll
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
The worm opens a connection on TCP port 3127 suggesting remote access
capabilities.
AVERT is currently analyzing this the threat. Details will be posted,
as they are available. A DAT update including repair will be posted
shortly.
Ben Johansen - http://www.pcforge.com
Authorized Witango & MDaemon Reseller
Available for Witango Developement
Ben Johansen - http://www.pcforge.com
Authorized Witango & MDaemon Reseller
Available for Witango Developement
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
