Infoweb 2000 di Ribaudo Grazia servizi internet servizi web consulenza e servizi marketing servizi grafici news servizi infoweb 2000 area clienti Infoweb 2000
[news infoweb 2000]  [bollettino virus]  [educazione al web]  [netiquette]  [glossario]  [faq]  [linkexchange]  [home]
Sviluppo applicazioni web in cfml 09-03-08
ACQUISIZIONI 2008 - CIVICO MUSEO PARISI-VALLE
Inaugurazione domenica 9 marzo ore 17.30. Grazia Ribaudo tra gli artisti acquisiti nel 2008 dal Civico Museo Parisi-Valle di Maccagno (VA).

19-07-04 - Worm/MyDoom.L

MEDIO Alias:
  Tipo: Internet Worm
  Dimensione: 21,236 Bytes
  Piattaforma: Microsoft Windows 9x/ME/NT/2000/XP
     
  Descrizione: Worm/MyDoom.L is an Internet worm that spreads through e-mail by using addresses it locates in files with certain extensions, .doc, .txt, .htm, and .html. It does not send emails to adresses containing one of the following strings:
- .gov
- .mil
- abus
- accoun
- admi
- anyone
- arin.
- avp
- bar.
- bug
- ca
- contact
- crosoft
- domain
- example
- feste
- foo.
- gmail
- gnu.
- gold-certs
- google
- gov.
- help
- hotmail
- info
- james
- john
- labs
- listserv
- master
- math
- me
- microsoft
- msn.
- no
- nobody
- noone
- not
- nothing
- ntivi
- ophos
- page
- panda
- privacycertific
- rarsoft
- rating
- ripe.
- root
- sales
- sample
- sarc.
- seclist
- secur
- service
- sf.net
- site
- soft
- someone
- sourceforge
- spam
- spersk
- submit
- suppor
- syma
- the.bat
- update
- uslis
- winzip
- you
- your

The worm arrives through e-mail in the following format:

Subject:
- click me baby, one more time
- delivery failed
- Delivery reports about your e-mail
- error
- hello
- hi
- Mail System Error - Returned Mail
- Message could not be delivered
- report
- Returned mail: Data format error
- Returned mail: see transcript for details
- say helo to my litl friend
- status
- test

Body:


Attachment:
- readme
- transcript
- mail
- letter
- file
- text
- attachment
- document
- message

** The first character of the attachment may be in uppercase or the whole string may be in upper case. The attachment has one of the following file extentions.

- .bat
- .com
- .scr
- .pif
- .exe
- .zip

If executed, the worm copies itself in the \windows\ directory under the filename "lsass.exe". Additionally, to make itself available for various file sharing programs, it copies itself to any directory that it locates with the string "shar":

- Winamp 5.0 (en)
- Harry Potter
- Kazaa Lite
- ICQ 4 Lite
- WinRAR.v.3.2.and.key

** The filenames may continue with " Crack" or " Crack.ShareReactor" and have *.com or *.exe extention.

The file ".txt" gets added in the %temp% directory under "lsass.exe".

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Traybar"="C:\\WINDOWS\\lsass.exe"
  Consigli:
     
  Link Utili: http://punto-informatico.it/salvapc/index.asp
    http://www.centralcommand.com/virus_descriptions.html





SalvaPC aiuta a difendere il tuo pc!
 
[home] [privacy] INFOWEB 2000, Via XXIV Maggio 10, 20030 Bovisio Masciago (MI)
Tel. 0362.593888, Fax 0362.571270, info@infoweb2000.com