This threat is proactively detected as W32/Mydoom.gen@MM with released DAT files.
This is a mass-mailing and peer-to-peer file-sharing worm. The virus arrives in an email message as follows:
(Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected.
Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
(Varies, such as)
- Do not reply to this email
- Server Report
- Good Day
- Mail Transaction Failed
- (random characters)
(Varies, such as)
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- Mail transaction failed. Partial message is available.
- (Random gibberish)
- New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
The World Bank Group
|© 2004 The World Bank Group, All Rights Reserved
Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
|© 2004 Networks Associates Technology, Inc. All Rights Reserved
- Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
- Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.
It's a real good choise to go to WORLDXXXPASS.COM
(varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (31kb)
- examples (common names, but can be random)
In the case of two file extensions, multiple spaces may be inserted as well, for example:
- document.htm (many spaces) .pif
The icon used by the file tries to make it appear as if the attachment is a text file:
When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as lsasrv.exe
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It creates the following registry entries to hook Windows startup:
CurrentVersion\Run "lsass" = %SysDir%\lsasrv.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = explorer.exe %SysDir%\lsasrv.exe
The worm blocks access to security websites and updates, but modifying the Windows HOSTS file (infected hosts files are proactively detected as QHost.apd trojan with released DAT files).
The worm attempts to contact remote sites to retrieve instructions, and also creates the following data files locally:
(this is simply a garbage text file that is displayed during execution)
Two remote sites contacted are as follows:
Peer To Peer Propagation
The worm copies itself to the P2P Shared Directories (such as Limewire, and EDonkey), such as: