Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Alias:W32/Novarg.B@mm
Type:Worm 
Size:29,184 bytes 
Origin:Russia 
Date:01-28-2004 
Damage:Spreads itself by email and P2P network KaZaA, starts a DoS attack, backdoor routine 
VDF Version:6.23.00.51 
Danger:Low 
Distribution:Medium 

General DescriptionWorm/MyDoom.B spreads itself by email or over P2P network KaZaA. The worm creates a file in the Windows system with the name "CTFMON.DLL". This contains a backdoor component which enables potential attackers to take over the computer. Worm/MyDoom.B starts the DoS attack on the SCO.COM and Microsoft.com web sites on February 1st.

Symptoms* ctfmon.dll can be found in Windows system.

Distribution* Sends itself by email, using its own SMTP engine;
* Spreads over P2P network KaZaA, by shared directories.

Technical DetailsWhen the worm is active, it creates the following files:
* \%WinDIR%\%SystemDIR%\ctfmon.dll (6.144 Bytes)
* \%WinDIR%\%SystemDIR%\Exlplorer.exe

If the file with the name Taskmon.exe can be found, this worm will overwrite it. The file SHIMGAPI.DLL will be loaded by EXPLORER.EXE. The following registry entry will be modified like bellow:

* [HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,****,00,00
@="C:\\WINDOWS\\System32\\ctfmon.dll"

Also, the following registry entry is made, so that the worm can be activated on the next system start:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Explorer"="C:\\%WinDIR%\\%SystemDIR%\\explorer.exe

The worm copies itself in the download directory of the P2P network program
KaZaA with the following names:
* NessusScan_pro.scr
* attackXP-1.26.scr
* winamp5.scr
* MS04-01_hotfix.scr
* zapSetup_40_148.scr
* BlackIce_Firewall_Enterpriseactivation_crack.scr
* xsharez_scanner.scr
* icq2004-final.scr
* MS04-01_hotfix.scr

For email spreading, the Worm/MyDoom.B searches for email addresses, on the local workstations, in all the files having the following extensions:
* .htm
* .sht
* .wab
* .txt
* .php
* .asp
* .dbx
* .tbb
* .adb
* .pl

The worm has its own SMTP engine, which allows it to send emails without an email client (for example Outlook). A Worm/MyDoom.B email can have different appearance.

Subject:
* Error
* hello
* hi
* Mail Delivery System
* Mail Transaction Failed
* test
* Server Report
* Status

Body:
* The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment.
* sendmail daemon reported:
* Error #804 occured during SMTP session. Partial message has been received.
* The message contains Unicode characters and has been sent as a binary
attachment.
* The message contains MIME-encoded graphics and has been sent as a binary
attachment.
* Mail transaction failed. Partial message is available.

Attachment:
* <random words>.bat
* <random words>.exe
* <random words>.pif
* <random words>.cmd
* <random words>.scr

The worm contains a backdoor component. This is put in CTFMON.DLL. With the
help of this component the potential attackers can take control over the infected computer.

Worm/MyDoom.B overwrites %SystemDIR%\Drivers\etc\hosts to block the following URLs:
* ad.doubleclick.net
* ad.fastclick.net
* ads.fastclick.net
* ar.atwola.com
* atdmt.com
* avp.ch
* avp.com
* avp.ru
* awaps.net
* banner.fastclick.net
* banners.fastclick.net
* ca.com
* click.atdmt.com
* clicks.atdmt.com
* dispatch.mcafee.com
* download.mcafee.com
* download.microsoft.com
* downloads.microsoft.com
* engine.awaps.net
* fastclick.net
* f-secure.com
* ftp.f-secure.com
* ftp.sophos.com
* go.microsoft.com
* liveupdate.symantec.com
* mast.mcafee.com
* mcafee.com
* media.fastclick.net
* msdn.microsoft.com
* my-etrust.com
* nai.com
* networkassociates.com
* office.microsoft.com
* phx.corporate-ir.net
* secure.nai.com
* securityresponse.symantec.com
* service1.symantec.com
* sophos.com
* spd.atdmt.com
* support.microsoft.com
* symantec.com
* update.symantec.com
* updates.symantec.com
* us.mcafee.com
* vil.nai.com
* viruslist.ru
* windowsupdate.microsoft.com
* www.avp.ch
* www.avp.com
* www.avp.ru
* www.awaps.net
* www.ca.com
* www.fastclick.net
* www.f-secure.com
* www.kaspersky.ru
* www.mcafee.com
* www.microsoft.com
* www.my-etrust.com
* www.nai.com
* www.networkassociates.com
* www.sophos.com
* www.symantec.com
* www.trendmicro.com
* www.viruslist.ru
* www3.ca.com

Worm/MyDoom.B starts a DoS (Denial-of-Service) attack on February 1st. Every
second, it initiates an enquiery on the main site of SCO.COM and Microsoft.com.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:
* \%WinDIR%\%SystemDIR%\ctfmon.dll
* \%WinDIR%\%SystemDIR%\Exlplorer.exe
* \%My Shared Folder%\NessusScan_pro.scr
* \%My Shared Folder%\attackXP-1.26.scr
* \%My Shared Folder%\winamp5.scr
* \%My Shared Folder%\MS04-01_hotfix.scr
* \%My Shared Folder%\zapSetup_40_148.scr
* \%My Shared Folder%\
BlackIce_Firewall_Enterpriseactivation_crack.scr
* \%My Shared Folder%\xsharez_scanner.scr
* \%My Shared Folder%\icq2004-final.scr
* \%My Shared Folder%\MS04-01_hotfix.scr

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Explorer"="C:\\%WinDIR%\\%SystemDIR%\\explorer.exe"

* [HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-
00AA005127ED}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,****,00,00
@="C:\\WINDOWS\\System32\\ctfmon.dll"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* \%WinDIR%\%SystemDIR%\ctfmon.dll
* \%WinDIR%\%SystemDIR%\Exlplorer.exe
* \%My Shared Folder%\NessusScan_pro.scr
* \%My Shared Folder%\attackXP-1.26.scr
* \%My Shared Folder%\winamp5.scr
* \%My Shared Folder%\MS04-01_hotfix.scr
* \%My Shared Folder%\zapSetup_40_148.scr
* \%My Shared Folder%\
BlackIce_Firewall_Enterpriseactivation_crack.scr
* \%My Shared Folder%\xsharez_scanner.scr
* \%My Shared Folder%\icq2004-final.scr
* \%My Shared Folder%\MS04-01_hotfix.scr

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Explorer"="C:\\%WinDIR%\\%SystemDIR%\\explorer.exe"

* [HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-
00AA005127ED}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,****,00,00
@="C:\\WINDOWS\\System32\\ctfmon.dll"

Restart your computer.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.