All the major virus vendors were on it but it takes time to isolate how to block it. You can go into the anti-virus section and do a manual update. I did it last night and it contained the code to capture it.
Ben Johansen - http://www.pcforge.com Authorized Witango & MDaemon Reseller Available for Witango Developement -----Original Message----- From: Scott Cadillac [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 9:45 PM To: [EMAIL PROTECTED] Subject: Re: Witango-Talk: !Virus Alert/Warning! Thanks Ben, Funny, one just came through not recognized by my MDaemon Antivirus (first time that's happened), but I have my MDaemon Server configured to remove all executable attachments regardless - so it was cleaned and dumped. No worries :-) Cheers... Scott Cadillac, Witango.org - http://witango.org 403-281-6090 - [EMAIL PROTECTED] -- Information for the Witango Developer Community --------------------- XML-Extranet - http://xmlx.ca 403-281-6090 - [EMAIL PROTECTED] -- Well-formed Development (for hire) --------------------- -----Original Message----- From: "Ben Johansen" <[EMAIL PROTECTED]> To: "'WiTango List'" <[EMAIL PROTECTED]> Date: Mon, 26 Jan 2004 19:46:29 -0500 Subject: Witango-Talk: !Virus Alert/Warning! > There is a very bad worm out and the Mail Server and Most antivirus > packages are scrambling to get new updates out. > > So for the moment do not open any emails with attachments, until you > have check your virus software and made sure that it has the latest > update which includes the following: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Aliases > > Novarg (F-Secure), [EMAIL PROTECTED] (Symantec), Win32.Mydoom.A (CA), > Win32/Shimg (CA), WORM_MIMAIL.R (Trend) > > > This is a mass-mailing worm that arrives in an email message as > follows: > > From: (spoofed) > Subject: (Random) > Body: (Varies, such as) > > The message cannot be represented in 7-bit ASCII encoding and has been > sent as a binary attachment. > The message contains Unicode characters and has been sent as a binary > attachment. > Mail transaction failed. Partial message is available. > Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP > archive) (22,528 bytes) > > The icon used by the file tries to make it appear as if the attachment > is a text file > > > > When this file is run it copies itself to the local system with the > following filenames: > > c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr > %SysDir%\taskmon.exe > (Where %Sysdir% is the Windows System directory, for example > C:\WINDOWS\SYSTEM) > > > It also uses a DLL that it creates in the Windows System directory: > > %SysDir%\shimgapi.dll (4,096 bytes) > This DLL is injected into the EXPLORER.EXE upon reboot via this > registry > key: > > HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcSe > r > ver32 "(Default)" = %SysDir%\shimgapi.dll > It creates the following registry entry to hook Windows startup: > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ > CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe > The worm opens a connection on TCP port 3127 suggesting remote access > capabilities. > > AVERT is currently analyzing this the threat. Details will be posted, > as they are available. A DAT update including repair will be posted > shortly. > > > > Ben Johansen - http://www.pcforge.com > Authorized Witango & MDaemon Reseller > Available for Witango Developement > > > > Ben Johansen - http://www.pcforge.com > Authorized Witango & MDaemon Reseller > Available for Witango Developement > > > > > _______________________________________________________________________ > _ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
