| |
Descrizione: |
Worm/MyDoom.T is a memory resident Internet worm that spreads through e-mail by using addresses it locates in files with certain extensions.
The worm arrives through e-mail in the following format:
Subject:
- DOCUMENT
- Error
- hello
- Hello
- Hi
- hi
- HI
- Mail Delivery System
- Mail Transaction Failed
- MAIL TRANSACTION FAILED
- RE:my .....
- Server Report
- Test
- test
- TEST
Body:
- !!!!!!!!!!!, check the attachment!!!.
- (Norton Anti Virus : No Virusses Found , Check The Attachment For More Information.
- (Norton ANti Virus,Panda,Mcafee No Virusses Found).
-
- Check the attachment for more information!.
- check the attachment to get the lastest news.
- check.
- come back my friend.
- error , sorry we can't send the email so check the attachment.
- error to send the mail!!!!!.
- error, check the attachment for more information.
- failed to send the email!, check the attachment for more information.
- failed,check the attachment for more information.
- hello :)
- hello check the attachment thx.
- hello.
- here is what you need,thx.
- loooooool ;)))
- Mail transaction failed.
- Partial message is available.
- sorry we can't send the mail try later , check the attachment for more information.
- test
- the attachment for more information.
- Try Later, Check the Attachment.
- you can check the attachment for more information.
- your attachment , thx.
Attachment:
- body
- data
- doc
- document
- Error
- file
- Information
- message
- Msg
- readme
- rest
- text
-
The attched file will carry one of the following file extensions: "cmd, pif, scr, exe, bat, zip"
If executed, the worm copies itself in the \windows\%system% directory under the filename "tasker.exe". The following file is also added:
- \windows\%system%\Nemog.dll (8,192 Bytes)
So that it gets run each time a user restart their computer the following registry key gets added:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Task"="<%sysdir%>\\tasker.exe"
The following registry key also gets created:
- HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
@="<%sysdir%>\\Nemog.dll"
"ThreadingModel"="Apartment"
The worm will display a message in notepad and opens the port 5422 to listen for incoming connections.
It contains the following string:
"MSG To SkyNet-Netsky: i know skynet is sucks so f*** off and i will complete my projects ok baby!,the second author for mydoom worms!!, he will complete the project, more is coming soon better than better,Kuwait." |
