Name: I-WORM.Novarg.A
AKA:
Type: Internet Worm Backdoor
Size: 22,5 Kbyte
Platform: Win 95/98/ME/NT/2000/XP
Description:
This worm come through an email attachment, of about 22.5KB with file extensions: .EXE, .BAT, .CMD, .PIF, .SCR or .ZIP.
The infected message could have on these subjects:
HI
HELLO
ERROR
TEST
Mail Delivery System
Mail Transaction Failed
Server Report
STATUS
and the following kind of message bodies:
Body: The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.
Body: Mail transaction failed. Partial message is available.
Body: The message contains Unicode characters and has been sent as a binary
attachment.
Body: test
some messages could have a blank body, or could be made of random characters.
Those were just some kinds of messages infected by Novarg.A.
The infected attachment could have one of these names.
body
document
readme
data
test
message
doc
text
file
If executed, Novarg creates the following files:
shimgapi.dll
taskmon.exe
TASKMON.EXE could be overwritten by the worm.
Novarg edits registry some registry keys to execute the above files at the pc startup.
Shimgapi.dll is executed by replacing WEBCHECK.DLL's CLSID.
Novarg worm actives a BACKDOOR component and listen on 3127 and 3198 TCP ports.
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”