O
ovi
Guest
Also know as: I-Worm.MyDoom.gen ; Win32.HLLM.MyDoom.based
This is an executable Backdoor Worm Mass Mailer with the size: 37,888 (upx packed), 8192 bytes. Was discovered and detected in: 03.09.2004 by BitDefender
Symptoms:
- Presence of the next files in %SYSTEM% folder:
tasker.exe (37,888 bytes)
Nemog.dll (8,192 bytes)
- Presence of the next registry key pointing to the above file:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Task"="%SYSTEM%\tasker.exe"]
and also
[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\]
"(Default)" = "%SYSTEM%\Nemog.dll"
- Presence in memory of a process "tasker"
where
%WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder
on WinNT systems.
Also, when the virus is run, it opens in Notepad some junk.
Technical description:
It arrives by e-mail in the following format:
From: spoofed, may usually appear as from @msn.com, @yahoo.com, @hotmail.com
Subject: (one of the following lines)
RE:my .....
RE:test
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Msg
Information
Body: (one of the following lines)
This is a multi-part message in MIME format.
Mail transaction failed. Partial message is available.
sorry we can't send the mail try later , check the attachment for more information.
error , sorry we can't send the email so check the attachment.
hello check the attachment thx.
hello.
!!!!!!!!!!!, check the attachment!!!.
Try Later, Check the Attachment.
failed to send the email!, check the attachment for more information.
check.
check the attachment to get the lastest news.
come back my friend.
loooooool
))
hello
failed,check the attachment for more information.
error, check the attachment for more information.
error to send the mail!!!!!.
you can check the attachment for more information.
(Norton ANti Virus,Panda,Mcafee No Virusses Found).
the attachment for more information.
here is what you need,thx.
your attachment , thx.
Check the attachment for more information!.
(Norton Anti Virus : No Virusses Found , Check The Attachment For More Information.
test
Attachment:
filename may be:
body
message
test
data
file
text
doc
readme
document
extension may be:
bat, cmd, exe, scr, pif or zip
Once the virus is run, it does the following:
1. Creates mutex "EnD-Of-SkyNet" in order to have only one presence in memory.
2. Creates a new thread that creates in TEMP folder a file named Message (approx 4 KBytes) containing binary junk, and opens it in Notepad. When Notepad is closed, the thread is closed and the file Message is deleted
3. Creates in %SYSTEM% the file Nemog.dll and registers it to [HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
4. Creates a copy of the virus in %SYSTEM% folder as tasker.exe
5. Creates the registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Task"="%SYSTEM%\tasker.exe"]
so that the virus will be run at startup
6. Checks if the computer is connected to the internet by checking www.microsoft.com aproximatively each half minute
7. Retrieves Kazaa download folder, and creates there copies of the virus constructing filename from:
XXX Pictures, XXX Videos, xbox emulator, ps2 emulator, Hotmail hacker, yahoo hacker, klez, SoBig, mydoom, netsky, Vahos, Upload, crack, Winzip, kazz, Wenrar, mirc, cleaner, SeX, Vaho, Fixtool
and extensions:
bat, pif, scr, exe
8. Starts harvesting for e-mail addresses in files matching:
wab, pl, adb, tbb, dbx, asp, php, sht, htm
and also in default WAB file
9. Uses it's own SMTP engine to send itself, using the previously described format, but avoids sending to e-mail addresses containing:
syma, icrosof, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo.
unix, math, bsd, mit.e, gnu, fsf., ibm.com, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, acketst, pgp, tanford.e, utgers.ed, mozilla
root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page
icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, google, accoun
avp, abuse, secur, spam, www, spm
10. Has backdoor capabilities: Nemog.dll opens port 5422 and listens for commands
11. May open a http proxy on port 80
Removal instructions:
Manual removal:
open Task Manaker by pressing CTRL+ALT+DEL or CTRL+SHIFT+ESC, select [End Process] on tasker.exe
delete from folder %SYSTEM% tasker.exe and Nemog.dll
open Registry Editor (start, run, and enter: Regedit)
remove the keys:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Task]
[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
This is an executable Backdoor Worm Mass Mailer with the size: 37,888 (upx packed), 8192 bytes. Was discovered and detected in: 03.09.2004 by BitDefender
Symptoms:
- Presence of the next files in %SYSTEM% folder:
tasker.exe (37,888 bytes)
Nemog.dll (8,192 bytes)
- Presence of the next registry key pointing to the above file:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Task"="%SYSTEM%\tasker.exe"]
and also
[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\]
"(Default)" = "%SYSTEM%\Nemog.dll"
- Presence in memory of a process "tasker"
where
%WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder
on WinNT systems.
Also, when the virus is run, it opens in Notepad some junk.
Technical description:
It arrives by e-mail in the following format:
From: spoofed, may usually appear as from @msn.com, @yahoo.com, @hotmail.com
Subject: (one of the following lines)
RE:my .....
RE:test
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Msg
Information
Body: (one of the following lines)
This is a multi-part message in MIME format.
Mail transaction failed. Partial message is available.
sorry we can't send the mail try later , check the attachment for more information.
error , sorry we can't send the email so check the attachment.
hello check the attachment thx.
hello.
!!!!!!!!!!!, check the attachment!!!.
Try Later, Check the Attachment.
failed to send the email!, check the attachment for more information.
check.
check the attachment to get the lastest news.
come back my friend.
loooooool
))hello
failed,check the attachment for more information.
error, check the attachment for more information.
error to send the mail!!!!!.
you can check the attachment for more information.
(Norton ANti Virus,Panda,Mcafee No Virusses Found).
the attachment for more information.
here is what you need,thx.
your attachment , thx.
Check the attachment for more information!.
(Norton Anti Virus : No Virusses Found , Check The Attachment For More Information.
test
Attachment:
filename may be:
body
message
test
data
file
text
doc
readme
document
extension may be:
bat, cmd, exe, scr, pif or zip
Once the virus is run, it does the following:
1. Creates mutex "EnD-Of-SkyNet" in order to have only one presence in memory.
2. Creates a new thread that creates in TEMP folder a file named Message (approx 4 KBytes) containing binary junk, and opens it in Notepad. When Notepad is closed, the thread is closed and the file Message is deleted
3. Creates in %SYSTEM% the file Nemog.dll and registers it to [HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
4. Creates a copy of the virus in %SYSTEM% folder as tasker.exe
5. Creates the registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Task"="%SYSTEM%\tasker.exe"]
so that the virus will be run at startup
6. Checks if the computer is connected to the internet by checking www.microsoft.com aproximatively each half minute
7. Retrieves Kazaa download folder, and creates there copies of the virus constructing filename from:
XXX Pictures, XXX Videos, xbox emulator, ps2 emulator, Hotmail hacker, yahoo hacker, klez, SoBig, mydoom, netsky, Vahos, Upload, crack, Winzip, kazz, Wenrar, mirc, cleaner, SeX, Vaho, Fixtool
and extensions:
bat, pif, scr, exe
8. Starts harvesting for e-mail addresses in files matching:
wab, pl, adb, tbb, dbx, asp, php, sht, htm
and also in default WAB file
9. Uses it's own SMTP engine to send itself, using the previously described format, but avoids sending to e-mail addresses containing:
syma, icrosof, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo.
unix, math, bsd, mit.e, gnu, fsf., ibm.com, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, acketst, pgp, tanford.e, utgers.ed, mozilla
root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page
icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, google, accoun
avp, abuse, secur, spam, www, spm
10. Has backdoor capabilities: Nemog.dll opens port 5422 and listens for commands
11. May open a http proxy on port 80
Removal instructions:
Manual removal:
open Task Manaker by pressing CTRL+ALT+DEL or CTRL+SHIFT+ESC, select [End Process] on tasker.exe
delete from folder %SYSTEM% tasker.exe and Nemog.dll
open Registry Editor (start, run, and enter: Regedit)
remove the keys:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Task]
[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
