W32/Datom-A

Discussion in 'malware problems & news' started by FanJ, Jul 10, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Datom-A
    Type: Win32 worm
    Date: 10 July 2002


    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description
    W32/Datom-A is a Win32 worm which uses Windows network shares to spread. The worm consists of three files: msvxd.exe, msvxd16.dll and msvxd32.dll. Msvxd.exe is the executable component of the worm, which loads the two DLL files.

    W32/Datom-A enumerates network shares and attempts to copy itself onto remote machines. If the copying is successful the worm attempts to change the win.ini file so that the worm file msvxd.exe is run on Windows startup.

    Analysis of this worm is continuing and more information will be available shortly.

    More information about W32/Datom-A can be found at
    http://www.sophos.com/virusinfo/analyses/w32datoma.html
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    As always, thanks for that, Jan.

    You can't keep but wondering why hordes of people keep insisting on opening suspicious attachments of this ilk... :rolleyes:
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Tony,

    Sad as it might be, 8 out of 10 average/common users are likely to open all attachments, reading HTML-based email etc. :rolleyes:. The net still is a highway open for everyone without a driving license - or even driving lessons...

    regards.

    paul
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    8 out of 10 eh? :eek:

    Incredible!

    One tends to forget that when one practically lives at boards like this one, the way wackos like ourselves do... :D
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    How very true! (although I would have preferred us not being wacko's - which in fact we are.. :D

    regards.

    paul
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Wow! that's fast.

    Reading the description, it does seem this one could create major havoc, though.
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    It actually does create havoc - fast, as it seems. Unfortunately, most people (still) are unaware of the fact, MSoft does not provide updates this way..

    regards,

    paul
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Thanks for the heads up, guys!

    I'll think I'll post a notice about this one at my Home board.

    Cheers, Tony
     
  10. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    I collect and analyze about 1,000,000 firewall events/day from my sensor network. I've been noticing an increase in Netbios scans over the last few weeks (see Graph).

    I'd say in about half the IPs I check out file shares are wide open and Datom files exist in the /Windows dir.

    One I looked at today actually had Datom, AceBot and CIH (a very old and nasty virus)...I know the first two do open share propagation...wonder if there is a new CIH variant doing same.

    I have .exe and .dlls of each of these if anyone is interested.
     

    Attached Files:

  11. FanJ

    FanJ Guest

    Hi NetWatchMan,

    Welcome to the forum!!!

    Edit: oops, somehow the board-software places a * in your name :)
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Welcome, Lawrence!

    Sure like your service.

    Interesting; we're unaware of a new CIH variant ITW.

    Very interested! Would you mind sending a (zipped) file to us? support@wilders.org Thanks in advance!

    regards.

    paul
     
  13. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    Darn...I accidently let NAV clean it and the host I got it from is no longer there...next time.
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    No prob; better next time indeed ;)

    regards.

    paul
     
  15. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Hi guys! Symantec has been issuing updates for this worm since July 8, 2002. They still dropped me an e-mail about it anyway. If you have NAV, just update.
     
Thread Status:
Not open for further replies.