Mydoom.a worm

Discussion in 'NOD32 version 2 Forum' started by Blackspear, Jan 26, 2004.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This appears to be a brand spanking new worm, picked up today.

    It comes through showing an attachment, however there is no attachment, drops itself into memory, Nod detects it upon a scan only and cannot delete. It deletes AFTER rebooting.

    Cheers :D
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    You might want to check out the link about the worm---my doom


    http://www.wilderssecurity.com/showthread.php?t=20465
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for that, have seen a major slowdown on the internet today, maybe that is the cause...

    :D
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    That is a definate possibility some of these new malware put a good load on the internet when they first comeout.
     
  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    NOD detect it since the 1.608 update.
     
  6. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Does NOD32 detect this worm with advanced heuristics?

    izi
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Yes it did with us, and now (a few hours ago) it detects it within it's virus definitions database.

    Cheers :D
     
  8. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    Nod saved me last night from this one as well :)
     
  9. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    In the virus description don't appear that NOD is able to detect it using AH.
     
  10. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    My best friend nailed it with the heuristics last nite. He got the definitions update about 30 min later. :eek:
     
  11. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Here are the responses speed of some AVs:
    TrendMicro, el 26/01/2004 a las 23:52:29 como WORM_MIMAIL.R NOD32, el 27/01/2004 a las 00:55:43 como Win32/Mydoom.A Antigen, el 27/01/2004 a las 01:39:51 como MyDoom.A@mm Norton, el 27/01/2004 a las 01:50:13 como W32.Novarg.A@mm Kaspersky, el 27/01/2004 a las 02:08:53 como I-Worm.Novarg Sophos, el 27/01/2004 a las 02:09:19 como Win32/MyDoom-A InoculateIT, el 27/01/2004 a las 02:28:42 como Win32.Shimg.Worm Panda, el 27/01/2004 a las 05:39:04 como W32/Mydoom.A.worm McAfee, el 27/01/2004 a las 05:57:49 como W32/Mydoom@MM
    Source: Hispasec (Spanish)
    I hope that you'll understood the spanish parts.
     
  12. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Does NOD32 detect Win32/Mydoom.A and Win32/Dumaru.Y with advanced heuristics?

    Answer: Only Dumaru.Y
     
  13. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    I am afraid the answer Dumaru.Y is wrong. Due the nature of intentionally damaged zip archive (erong global headers, correct local headers) the worm has not been picked by AH in my opinion. Maybe you noticed, archive support has been updated on 26th.... Hope this has been fixed now....
     
  14. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    This was answer of Eset support. I think that they know.

    izi
     
Thread Status:
Not open for further replies.