Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Nodoom.A

Win32/Nodoom.A is a worm spreading in a form of attachment in e-mail messages. Its size is 5568 B and it's compressed using the FSG utility. It runs on all MS Windows OS platforms.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm creates a mutex named "Ctsls-1x8-MutextTIp" to make sure there is only one copy of it running on the infected computer. It verifies the system date and time and limits its activity to the months of January and February.

To make sure the worm is activated upon the next computer restart it alters the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
by adding the following value: Ctsls. And it also copies a new file on the hard disk named: %SYSTEM%\ctsls.exe

The worm harvests new e-mail addresses for its spreading from files with the following extensions:

".MMF"
".NCH"
".MBX"
".DBX"
".EML"
".TBB"
".OCS"
".TXT"
".HTML"
".HTM"

located on the C:\ drive.

The worm encodes its body using the Base64 method and saves it in the following file: %SYSTEM%\Ynit.tmp
Later the worm uses this file as an attachment in the e-mails it sends out.
In the registry keys it searches for the default SMTP server and sends infected e-mail messages with an attachment using one of the following names:

"pics.pif"
"patch.exe"
"screensaver.scr"
"file.txt .exe"
"weird.jpg .zip.exe"
"myfiles.exe"
"antiserum_1.exe"

The worm uses one of the following Subject lines in its messages:

"Happy Birthday"
"I can't recall what happened but.."
"I don't understand.."
"Is this the Smallest C++ MassMailer???"
"Shit happens..."
"SoBig SoSmall"
"Virus Alert: W32.Nodoom.A@mm "

The body of the message contains one of the following strings:

"Here are the files you asked for,\ncheer"
"MessageLabs are the first to report of the new Nodoom Internet Worm\nPlease install the patch attached in this email to prevent outbreaks"
"\n\nCan you recall what happened at the party last friday?\nI'm having serious problems, i really should stop smoking!\n\t\t\t\t, \nMaybe the picture files attached will explain it to you..."
"\n\nplease explain me this attachment, it confused me.."
"SoSmall, SoCold, SoNice, SoGood, SoWarm.."
"Is this what where all about?"

During the run of the worm on the computer the following message is read into the main computer memory, but it never shows up anywhere and it is deleted from the computer memory after freeing allocated memory:

"Coded as Proof Of Concept only..To show that C++ MassMailers can be as small as Asm MassMailers.....This Program Has NEVER Been Released By The Author!!The Author can NOT be held responsible for any damage caused..As show of good will, i have put a DEADLINE+uneffective email bodies+unoptimized code...just so that it won't spread at all..."

The detection of Win32/Nodoom.A using sample is added since version 1.628 .

1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.