high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 9 February 2005 13:31:45 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lsass = <system>\lsasrv.exe
and delete it if it exists.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.
Close the registry editor.
More Information
W32/MyDoom-AQ is a mass mailing worm that can also spread using popular peer-to-peer networking applications.
W32/MyDoom-AQ harvests email addresses from the infected computer and sends an email to these addresses.
W32/MyDoom-AQ will attempt to copy itself to the shared folders of popular peer-to-peer applications.
W32/MyDoom-AQ will open up the notepad application to display what will appear to be garbage. W32/MyDoom-AQ is a mass mailing worm that can also spread using popular peer-to-peer networking applications.
W32/MyDoom-AQ copies itself to the Windows system folder with the filename lsasrv.exe and sets the following registry entries so that the worm is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lsass = <system>\lsasrv.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
Shell = explorer.exe <system>\lsasrv.exe
W32/MyDoom-AQ harvests email addresses from the infected computer and sends an email to these addresses with the following characteristics:
Subject lines:
Attention!!!
Do not reply to this email
Error
Good Day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Attachment names (including one of the extensions exe, scr, pif, cmd, bat or zip):
body
data
doc
document
files
message
readme
readme
rules
W32/MyDoom-AQ will attempt to copy itself to the shared folders of the following popular peer-to-peer applications:
Edonkey2000
KaZaa
LimeWire
Morpheus
The Hosts file is modified to disable access to the following sites:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
grisoft.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
W32/MyDoom-AQ will open up the notepad application to display what will appear to be garbage.
The non-malicious files hserv.sys and version.ini will be created in the Windows system folder.
|
