| VID |
24071 |
| Severity |
40 |
| Port |
3127 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The Windows system appears to be infected by the 'W32.MyDoom' worm.
'W32.MyDoom' is a worm that spreads over email and Kazaa p2p network. When executed, the worm opens up Windows' Notepad with garbage data in it. In emails, it uses variable subjects, bodies and attachment names. It also attacks SCO.COM with a DDoS-attack.
The worm will copy itself to the Windows System folder as 'taskmon.exe' and adds a entry in the registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = %sysdir%\taskmon.exe
or, if it fails:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = %sysdir%\taskmon.exe
The worm opens up a backdoor to infected computers. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE.
SHIMGAPI.DLL file will sequentially open TCP ports from 3127 to 3198, listening on them for incoming connections. One of the possibilities this backdoor offers is to receive an additional executable and run it on the already infected machine.
* References:
http://www.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
http://vil.nai.com/vil/content/v_100983.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R
http://www.europe.f-secure.com/v-descs/novarg.shtml
http://info.ahnlab.com/smart2u/virus_detail_1298.html
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
Remove it from the infected computer by using a anti-virus program (vaccine program).
If you do not have an anti-virus program installed, download and install one of these virus scanners:
Norton AntiVirus: http://www.symantec.com/downloads/
McAfee VirusScan: http://download.mcafee.com/default.asp
Trend Micro PC-Cillin: http://www.antivirus.com/pc-cillin/ |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
14958 (ISS) |
|
