Ads W32.Mydoom.AM@mm Tuesday, 25 January 2005 W32.Mydoom.AM@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on the infected computer. It also propagates through popular peer-to-peer networks. The email will have a variable subject and attachment name. The attachment will have a .bat, .cmd, .exe, .pif, .scr, or .zip file extension. W32.Mydoom.AM@mm is a minor variant of W32.Mydoom.AG@mm. Variants: W32.Mydoom.AG@mm Type: Worm Infection Length: 32,768 bytes Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When W32.Mydoom.AM@mm is executed, it does the following: Creates the following files: %System%lsasrv.exe %System%version.ini [path of execution]hserv.sys Adds the value: "lsass" = "%System%lsasrv.exe" to the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Modifies the value: "Shell" = "explorer.exe %System%lsasrv.exe" in the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon so the worm is executed when Windows starts. Creates the file Mes#wtelw.txt in the c:WindowsTemp folder. The file contains garbage data only. The worm uses NotePad to open the file, upon which it displays garbage text. Gathers email addresses from the Windows address book and from files with the following extensions: .wab .pl .adb .tbb .dbx .asp .php .sht .htm .txt The worm will not send itself to email addresses containing any of the following strings: accoun certific listserv ntivi support icrosoft admin page the.bat gold-certs feste submit not help service privacy somebody soft contact site rating bugs you your someone anyone nothing nobody noone webmaster postmaster samples info root mozilla utgers.ed tanford.e pgp acketst secur isc.o isi.e ripe. arin. sendmail rfc-ed ietf iana usenet fido linux kernel google ibm.com fsf. gnu mit.e bsd math unix berkeley foo. .mil gov. .gov ruslis nodomai mydomai example inpris borlan sopho panda hotmail msn. icrosof syma avp .edu abuse www fcnz spm Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics: From: (one of the following names) Joseph Ronald Hannah Kimberly Maria George Charles Len Cissi Sandra Jennifer Hans Richard Lee Emily Helen Elizabeth Donald David Harris Nicholas Betty Barbara Mark William Martin Ethan Karen Linda Paul Michael Edward Cynthia Nancy Patricia Daniel Robert Olivia Angela Dorothy Kevin Christopher John Josefine Melissa Susan Anthony Thomas James Followed by any number of random last names and one of the following domains: compuserve.com juno.com earthlink.net yahoo.co.uk hotmail.com yahoo.com msn.com aol.com Subject: (one of the following) Attention!!! Do not reply to this email Error Good day hello Mail Delivery System Mail Transaction Failed Server Report Status Attachment name:(one of the following) body message docs data file rules doc readme document With one of the following extensions: .bat .cmd .exe .pif .scr .zip Message body: (one of the following) The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Thank you for registering at WORLDXXXPASS.COM All your payment info, login and password you can find in the attachment file. Its a real good choise to go to WORLDXXXPASS.COM Attention! New self-spreading virus! Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. Its about two million people infected and it will be more. To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment. c 2004 Networks Associates Technology, Inc. All Rights Reserved New terms and conditions for credit card holders Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web. Thank you, The World Bank Group c 2004 The World Bank Group, All Rights Reserved Attention! Your IP was logged by The Internet Fraud Complaint Center Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted. This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center Copies itself into the shared folders of Kazaa, Morpheus, iMesh, eDonkey, or LimeWire under one of the following names. The file has either a bat, pif, scr, or exe extension: porno NeroBROM6.3.1.27 avpprokey Ad-awareref01R349 winxp_patch adultpasswds dcom_patches K-LiteCodecPack2.34a activation_crack icq2004-final winamp5 Attempts to disable the following processes, which include processes associated with firewall and anti-virus applications: i11r54n4.exe irun4.exe d3dupdate.exe rate.exe ssate.exe winsys.exe winupd.exe SysMonXP.exe bbeagle.exe Penis32.exe teekids.exe MSBLAST.exe mscvb32.exe sysinfo.exe PandaAVEngine.exe taskmon.exe wincfg32.exe outpost.exe zonealarm.exe navapw32.exe navw32.exe zapro.exe msblast.exe netstat.exe Appends the following lines to the file %System%driversetchosts to prevent access to anti-virus-related domains. 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 www.f-secure.com 127.0.0.1 f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 www.nai.com 127.0.0.1 nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 www.trendmicro.com 127.0.0.1 trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 grisoft.com   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.