The Web    Google
Worm Spreads Via Email With Variable Characteristics

Worm Spreads Via Email With Variable Characteristics
April 21, 2004

Mydoom.J is a worm that spreads via e-mail in a message with variable characteristics, and through peer-to-peer (P2P) file sharing programs, according to Panda Software, which issued a low-level threat alert Wednesday.

In addition, Mydoom.J uses a Dynamic Link Library (DLL) that has already been used by Bugbear.B. It also opens the Windows Notepad (NOTEPAD.EXE) and displays junk data.

Technical information is at Panda Software page.

Backdoor Trojan/Worm Sets IRC Channel to Remote Server

W32/Agobot-QF is an IRC backdoor Trojan and network worm that establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine.

This worm will move itself into the Windows System32 folder under the filename EXPLORED.EXE and may create the following registry entries so that it can execute automatically on system restart:


Windows Login = explored.exe


Windows Login = explored.exe

W32/Agobot-QF will also attempt to glean email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment.

More information is at this Sophos page.

Worm Uses Internet to Exploit Vulnerability

W32/Blaster-G is a worm that uses the Internet to exploit the DCOM vulnerability in the RPC (Remote Procedure Call) service.

The worm will copy itself to the Windows system folder as eschlp.exe and create the file svchosthlp.exe in the same location.

W32/Blaster-G creates the following registry entries to ensure it is run at system logon:

Helper = \eschlp.exe /fstart
MSUpdate = \svchosthlp.exe
SPUpdate = \svchosthlp.exe

More information is at this Sophos page.

Worm Performs Several Destructive Functions

W32.Opasa@mm is a mass-mailing worm that:

  • Sends itself to the email addresses that it finds on an infected computer
  • Terminates processes and services, including various security programs
  • Attempts to connect to various IRC servers to wait for additional commands from an attacker.

    The email contains a .zip attachment, and the Subject line varies.

    Technical details are at this Symantec page.

    Remote Access Trojan Installs Itself Into Directory

    W32/Blaster.worm.k!backdoor is a remote access trojan that is dropped and executed by W32/Blaster.worm.k. Upon execution, the trojan installs itself into the %SYSDIR% directory as svchosthlp.exe. (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

    For example:

    The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MSUpdate" = %SYSDIR%\svchosthlp.exe

    The following registry keys are also added:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control "Sysuser"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control "Sysuser"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control "Sysuser"

    More information is at this McAfee page.

    Worm Drops Itself Into Systems Folder Using Random Names

    Worm_Mimail.V is a memory-resident worm that drops a copy of itself in the Windows system folder under random names.

    It drops the following files:

  • \XXXX.TXT--contains logs of running processes and dropped files of malware.
  • NBI.HTM--detected by Trend Micro as HTML_MOBA.A.

    It creates registry entries to ensure its automatic execution at every Windows startup. This worm propagates through file-sharing applications, such as Kazaa, by dropping copies of itself under various names in the Kazaa shared folders. Note that it may use names that are related to security and antivirus companies.

    This malware terminates running processes, most of which are related to security and antivirus applications.

    It runs on Windows NT, 2000, and XP.

    Technical details are at this Trend Micro page.

    --Compiled by Esther Shein

  • Viruses Gearing up For The Smart Set
  • Tabbed Browsing Flaws Detected
  • 3/8: Tibick-C a P2P Worm
  • 3/7: Forbot-ER Worm Contains Backdoor Functions
  • 4/4: VBS.Kuullio Worm Sends Emails
  • 1/18: Zar Worm Sends Tsunami Email
  • Denial of Service a Big WLAN Issue
  • 11/8: Linkbot-A Exploits LSASS Flaw
  • Botnets: Who Really ''Owns'' Your Computers?
  • 1/3: Hilin Worm Written in Visual Basic
  • 1/12: Mugly-D Worm Drops IRC Backdoor
  • Compare Security Camera Products