IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled




Worm Alert: W32.Novarg.A@mm (W32/Mydoom@MM)



OFFICE OF CRITICAL INFRASTRUCTURE PROTECTION AND EMERGENCY PREPAREDNESS

*****************
ALERT
*****************

Number: AL04-001
Date: 26 January 2004

*****************************
W32.Novarg.A@mm (W32/Mydoom@MM)
*****************************

PURPOSE
The purpose is to bring attention to the W32.Novarg.A@mm worm (also known as W32/Mydoom@MM) which is spreading rapidly.

ASSESSMENT
W32.Novarg.A@mm is an encrypted mass-mailing worm that arrives as an attachment with one of the following extensions: .exe, .scr, .zip, .cmd, or .pif.

This worm spoofs the From: field and contains a random Subject line. The text body that varies. Some examples of the text body include:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

The zip attachment is 22,528 bytes.

When this file is run it copies itself to the local system with the following filenames: c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr c:\WINDOWS\SYSTEM\taskmon.exe

It also uses a DLL that it creates in the Windows System directory:
c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes)

It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe

The worm opens a connection on TCP port 3127 which suggests remote access capabilities.


SUGGESTED ACTION
Anti-virus solutions should be updated to the latest signature files.

E-mail attachment blocking should be used whenever possible. For more details please see the following links:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL. R&VSect=T

Note to Readers

Public Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyse threats and to issue alerts, advisories and other information products to our partners.

To report threats or incidents, please contact the PSEPC operations coordination centre at (613) 991-7000 or opscen@ocipep-bpiepc.gc.ca by e-mail. Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620.

For general information on critical infrastructure protection and emergency preparedness, please contact our Public Affairs division at:
Telephone: (613) 944-4875 or 1-800-830-3118

Fax: (613) 998-9589

E-mail: communications@ocipep-bpiepc.gc.ca