Win32.Nodoom.A

Discussion in 'malware problems & news' started by Marianna, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Alias: I-Worm.Nodoom (Kaspersky)
    Category: Win32
    Type: Worm
    Published Date: 2/16/2004
    Last Modified: 2/16/2004

    CHARACTERISTICS
    Win32.Nodoom.A is a worm spreading via e-mail. The worm has been distributed as a 5,568-byte, FSG-compressed, Win32 executable.

    Method of Installation
    When the worm is executed, it copies itself to the System directory as ctsls.exe and modifies the registry in order to execute at the next system re-start:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ctsls = "%System%\ctsls.exe"

    Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

    Also, the worm creates the file Ynit.tmp in the System folder, which is a 7,618-byte, Base-64 encoded copy of the worm.

    Nodoom.A creates the mutex: "Ctsls-1x8-MutextTIp" to make sure there is only one copy of the worm running at any given time.

    The worm has been designed to run in January and February only.

    Method of Distribution
    Via E-mail
    The worm carries its own SMTP engine and does not rely on any particular e-mail client.

    In order to find target e-mail addresses, Nodoom.A searches files with the following extensions:

    .DBX
    .EML
    .HTM
    .HTML
    .MBX
    .MMF
    .NCH
    .OCS
    .TBB
    .TXT

    E-mail sent by the worm have the following characteristics:

    Possible Subject lines:

    Happy Birthday
    I can't recall what happened but..
    I don't understand..
    Is this the Smallest C++ MassMailero_O
    **** happens...
    SoBig SoSmall
    Virus Alert: W32.Nodoom.A@mm

    Possible attachment names:

    antiserum_1.exe
    file.txt .exe
    documents.exe
    myfiles.exe
    screensaver.scr
    patch.exe
    pics.pif
    weird.jpg .zip.exe

    Possible message body texts:

    Here are the files you asked for,
    cheers

    please explain me this attachment, it confused me..

    SoSmall, SoCold, SoNice, SoGood, SoWarm..

    Can you recall what happened at the party last friday?
    I'm having serious problems, i really should stop smoking!
    Maybe the picture files attached will explain it to you...

    MessageLabs are the first to report of the new Nodoom Internet Worm
    Please install the patch attached in this email to prevent outbreaks

    Is this what where all about?

    Nodoom.A also spoofs the 'From' address.

    Please see below for examples of e-mail generated by the worm:


    http://www3.ca.com/virusinfo/showimage.aspx?caid=38306&name=nodooma_email1.gif

    http://www3.ca.com/virusinfo/showimage.aspx?caid=38306&name=nodooma_email2.gif

    http://www3.ca.com/virusinfo/showimage.aspx?caid=38306&name=nodooma_email3.gif

    http://www3.ca.com/virusinfo/showimage.aspx?caid=38306&name=nodooma_email4.gif

    http://www3.ca.com/virusinfo/showimage.aspx?caid=38306&name=nodooma_email5.gif

    Analysis by Jakub Kaminski
    http://www3.ca.com/virusinfo/virus.aspx?ID=38306
     
Thread Status:
Not open for further replies.