high
Summary
Summary
Action- More Information
| Included in our products from | April 2004 (3.80) |
|---|---|
| Protection available since | 8 March 2004 04:04:40 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Delete the files mslogs32.dll, zmndpgwf.kxx, yfjq.yqwm and Humgly.lkur if they exist.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
<random name> = <SYSTEM>\<random file> %1
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<random name>\<random name> = <SYSTEM>\<random file>
and delete them if they exist.
Close the registry editor.
More Information
W32/Roca-A is a worm that arrives in an email with the following characteristics:
Subject line: Microsoft Alert: Please Read!
Message text:
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet. Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.
Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++ 2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19
OR
Subject line: Microsoft Alarm: Bitte Lesen!
Message text:
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet. Wie seine VorgSnger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen. Zudem installiert er auf infizierten Systemen einen gefShrlichen Trojaner! Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem SchSdling zu schntzen!
+++ 2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943
The attachment name is one of the following keywords followed by a random number with either an EXE or ZIP extension:
Patch
MS-Security
MS-UD
UpDate
sys-patch
W32/Roca-A copies itself to the Windows system folder using a combination of the following words with an EXE extension: sys, host, dir, explorer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32
and sets the following registry entries to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
<random name> = <SYSTEM>\<random file> %1
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<random name>\<random name> = <SYSTEM>\<random file>
where <random file> is the name of the copy of the worm and <random name> is generated using the same word list.
W32/Roca-A will also create the following files in the Windows system folder:
- Humgly.lkur
- mslogs32.dll - a list of email addresses found on system
- temp32x.data - a base64 encoded copy of the worm
- wintmpx33.dat - a base64 encoded ZIP copy of the worm
- yfjq.yqwm
- zmndpgwf.kxx
The files mslogs32.dll, zmndpgwf.kxx, yfjq.yqwm and Humgly.lkur are not malicious and can be deleted.
When first run W32/Roca-A will display a message box stating
"This patch has been successfully installed."
If the worm is executed again it will display a message box stating
"This patch does not need to be installed on this system.
Status: OK"
|
