W32/Noomy-A

Category: Viruses and Spyware Protection available since:19 Dec 2007 08:35:52 (GMT)
Type: Win32 worm Last Updated:19 Dec 2007 08:35:52 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Noomy-A is a mass mailing worm which will attempt to send itself to email addresses harvested from dbx, htm, html and php files. When first executed W32/Noomy-A will display the fake error message: "CRC error: 5418#223 Close file", and continue running in background. W32/Noomy-A will attempt to send emails using the Winsock interface. If the required mswinsck.ocx is not found, it will then attempt to download the file from a predefined location on the interent.

The email sent will be from a fake email address and have any of the following subject lines:

Re: eCard Delivery Error: <random>
Re: VoiceMail to <random>
- Delivery Error You`ve got 1 new eCard!
bad request server not found!
One new VoiceMail! ID: <random>
One new eCard! ID: <random>
New eCard in your inbox!
You got one VoiceMail! See online!
Num: <random> One new eCard from <random>
Num: <random> One new voicemail from <random>
Mail Delivery (error <random> )
Re: Message Error! mail: <random>
Bad Request Server not found!
Re: <random> Mail System Error - Returned Mail
Extended mail system error: <random>
Re: Mail Delivery Error!
Protected Mail Server invalid!
Re: Mail Delivery: <random> - Error
Re: mail error num: <random>
<random> - Returned mail: see transcript for details
Warning!!!
Why you SPAM?
Last notice!
Re: <random> Regard ! Please read...
This is not OK !
Don't spam!!!!!
Question about YOUR SPAM!!
Information!You spam this email:
Last chance!STOP SPAM THIS EMAIL:

W32/Noomy-A copies itself to %windows%/Sysconf32.exe and to the folder windows%/Systembck with various filenames.

In order to run automatically when Windows starts up W32/Noomy-A creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows HTML file reader=%WINDOWS%\Sysconf32.exe.

W32/Noomy-A can also spread by sending spam messages via Email or the IRC service, to instruct users to download files from the backdoor HTML server. This server will be accessed from the %windows%/Systembck folder, in which all files are copies of W32/Noomy-A.

A specific URL of the backdoor HTML server will allow an intruder to log on and view various aspects of the host. There is also an option to remove *.sys files from the root folder which will prevent the system from booting. The intruder will also be able to install new malware on the system.

W32/Noomy-A may drop a batch file pingme.bat in the root folder. This file will attempt to carry out ICMP DOS against www.Microsoft.com, www.sophos.com and www.kaspersky.com website.

The worm will keep a copy of the email addresses in %Windows%\emls.tmp.

The following two files will also be created in the root folder:

ReAd_ThiS_ShiT.txt
StpLogs.vbs

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy