03-06-2004, 11:04 PM
Revised Information: See bottom of post for revision date/time information.
Win32.MMail.A continues its spread across the internet. Here's some further information.
Win32.MMail.A
Discovered January 26, 2004 at 6:06PM EST
Detected January 26, 2004 at 7:49PM EST
Added to referencefile 252 (01R252 27.01.2004)
Also Known As: W32.Novarg.A@mm, W32.Mydoom@MM, W32.Shimg, WORM_MIMAIL.R
Worm emails itself to datamined email addresses. The recipient will receive an email with various headings, including: [ul] [li]Hi [li]Hello [li]Error [li]MAIL DELIVERY SYSTEM [li]Mail Transaction Failed [li]Returned Mail: Response Error [li]Server Report [li]Test[/li][/ul]An attachment (the worm) is included using the file extension .exe, .pif, .zip, and .scr. Filenames include body, document, file, message, test, and text.
Upon execution, it will drop taskmon.exe and shimgapi.dll in the %system% folder, and set taskmon.exe to autostart in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run subkey.
This worm also performs denial of service attacks on several websites, which are dependent on the system time of the infected computer.
If you receive this email, do not open it. Immediately delete the email, download the latest referencefile (01R254 01.02.2004 at the last revision of this document) and perform a full system scan as shown by the settings here:
Lavasoft Help & Support
How To: Perform a "Full Scan" with Ad-aware
[url "http://www.lavahelp.com/howto/fullscan/"]http://www.lavahelp.com/howto/fullscan/[/url]
Lavasoft Research & Development
[signature]