20- TSA 04-001
TSA 04-001 - Win32.Mydoom@MM
Current Assessment: HOT
The worm arrives in an e-mail with a spoofed From: field, and random Subject: and Body: lines. The file name of the attachment varies, as does the extension. The worm may arrive as an executable file bundled in a .zip archive. The possible file extensions that the worm may use are .exe, .pif, .cmd and .scr. Worm/MyDoom uses an icon for this file that makes it appear to be a text file.
When the worm executes, it copies itself to the \%System% directory as the files taskmon.exe and shimgapi.exe. It also copies itself as the file C:\Program Files\KaZaA\My Shared Folder\activation_crack.scr. The worm may also open Notepad, displaying random characters.
The worm adds the value TaskMon = ?\%System%\taskmon.exe?Eto the following registry key to ensure that it executes each time Windows starts:
The worm opens port 3127/tcp, and may perform a distributed denial of service (DDoS) attack against "www.sco.com."
Users are advised to block port 3127/tcp and to filter .exe, .pif, .cmd, .scr and .zip files.
Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.
IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Check our calendar for C-SAFE classes and important training events. Subscribe in your Google calendar.