Name: W32/Datom-A Type: Win32 worm Date: 10 July 2002 At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description W32/Datom-A is a Win32 worm which uses Windows network shares to spread. The worm consists of three files: msvxd.exe, msvxd16.dll and msvxd32.dll. Msvxd.exe is the executable component of the worm, which loads the two DLL files. W32/Datom-A enumerates network shares and attempts to copy itself onto remote machines. If the copying is successful the worm attempts to change the win.ini file so that the worm file msvxd.exe is run on Windows startup. Analysis of this worm is continuing and more information will be available shortly. More information about W32/Datom-A can be found at http://www.sophos.com/virusinfo/analyses/w32datoma.html
As always, thanks for that, Jan. You can't keep but wondering why hordes of people keep insisting on opening suspicious attachments of this ilk...
Tony, Sad as it might be, 8 out of 10 average/common users are likely to open all attachments, reading HTML-based email etc. . The net still is a highway open for everyone without a driving license - or even driving lessons... regards. paul
8 out of 10 eh? Incredible! One tends to forget that when one practically lives at boards like this one, the way wackos like ourselves do...
How very true! (although I would have preferred us not being wacko's - which in fact we are.. regards. paul
Datom-A Worm disguised as MS Update Informative description and free cleaning tool here: www.bitdefender.com/press/ref1107.php regards. paul
It actually does create havoc - fast, as it seems. Unfortunately, most people (still) are unaware of the fact, MSoft does not provide updates this way.. regards, paul
Thanks for the heads up, guys! I'll think I'll post a notice about this one at my Home board. Cheers, Tony
I collect and analyze about 1,000,000 firewall events/day from my sensor network. I've been noticing an increase in Netbios scans over the last few weeks (see Graph). I'd say in about half the IPs I check out file shares are wide open and Datom files exist in the /Windows dir. One I looked at today actually had Datom, AceBot and CIH (a very old and nasty virus)...I know the first two do open share propagation...wonder if there is a new CIH variant doing same. I have .exe and .dlls of each of these if anyone is interested.
Hi NetWatchMan, Welcome to the forum!!! Edit: oops, somehow the board-software places a * in your name
Welcome, Lawrence! Sure like your service. Interesting; we're unaware of a new CIH variant ITW. Very interested! Would you mind sending a (zipped) file to us? support@wilders.org Thanks in advance! regards. paul
Hi guys! Symantec has been issuing updates for this worm since July 8, 2002. They still dropped me an e-mail about it anyway. If you have NAV, just update.