27/01/2004

Novarg (MYDoom)


New backdoor worm that comes through a 22.5KBs email attachment.

Name: I-WORM.Novarg.A

AKA:

Type: Internet Worm Backdoor

Size: 22,5 Kbyte 

Platform: Win 95/98/ME/NT/2000/XP 

Description:

This worm come through an email attachment, of about 22.5KB with file extensions: .EXE, .BAT, .CMD, .PIF, .SCR or .ZIP.
The infected message could have on these subjects:

    HI
    HELLO
    ERROR
    TEST
    Mail Delivery System 
    Mail Transaction Failed 
    Server Report 
    STATUS


and the following kind of message bodies:

Body: The message cannot be represented in 7-bit ASCII encoding
           and has been sent as a binary attachment.


Body: Mail transaction failed. Partial message is available.

Body: The message contains Unicode characters and has been sent as a binary
           attachment.


Body: test


some messages could have a blank body, or could be made of random characters.
Those were just some kinds of messages infected by Novarg.A.

The infected attachment could have one of these names.

    body
    document 
    readme 
    data 
    test 
    message 
    doc 
    text 
    file 



If executed, Novarg creates the following files:

    shimgapi.dll
    taskmon.exe 


TASKMON.EXE could be overwritten by the worm.
Novarg edits registry some registry keys to execute the above files at the pc startup.
Shimgapi.dll is executed by replacing WEBCHECK.DLL's CLSID.
Novarg worm actives a BACKDOOR component and listen on 3127 and 3198 TCP ports.
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: