McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Nodoom (AVP)

• W32/TiniPOC.A.worm (Panda)

• Win32.Nodoom.A (CA Vet)

Characteristics

This detection is for a mass-mailing worm written in MSVC. The file is likely to be packed with FSG. The worm bears the following characteristics:

• contains its own SMTP engine to construct messages
• harvests target email addresses from the victim machine
• spoofs the From address (using harvested email addresses)

The worm checks the system time on the victim machine and exits if the month is anything other than January or February (independant of year).

Symptoms

• Files, Registry keys as detailed below.
• Outgoing messages matching the characteristics described below.

Method of Infection

Mail Propagation
The worm constructs email addresses using its own SMTP engine. Email addresses are harvested from files with the following extensions on the victim machine:

• .HTM
• .HTML
• .TXT
• .OCS
• .TBB
• .EML
• .DBX
• .MBX
• .NCH
• .MMF

Harvested addresses are also used in spoofing the From: address of outgoing messages.

Messages are constructed with varying subject line, message body and attachment filename.

The subject line is chosen from one of the following:

• Happy Birthday
• I can't recall what happened but..
• I don't understand..
• Is this the Smallest C++ MassMailer???
• Shit happens...
• SoBig SoSmall
• Virus Alert: W32.Nodoom.A@mm

The attachment filename is chosen from one of the following:

• antiserum_1.exe
• documents.exe
• file.txt (many spaces) .exe
• myfiles.exe
• patch.exe
• pics.pif
• screensaver.scr
• weird.jpg (many spaces) .zip.exe

The message body is chosen from one of the following:

Installation
The worm copies itself to the system directory as CTSLS.EXE, for example:

• c:\WINNT\system32\ctsls.exe

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Ctsls" = C:\WINNT\System32\ctsls.exe

A base-64 encoded copy of the worm (7,618 bytes) is written to:

• c:\WINNT\system32\Ynit.tmp

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Nodoom (AVP)

• W32/TiniPOC.A.worm (Panda)

• Win32.Nodoom.A (CA Vet)

Characteristics

Characteristics -

This detection is for a mass-mailing worm written in MSVC. The file is likely to be packed with FSG. The worm bears the following characteristics:

• contains its own SMTP engine to construct messages
• harvests target email addresses from the victim machine
• spoofs the From address (using harvested email addresses)

The worm checks the system time on the victim machine and exits if the month is anything other than January or February (independant of year).

Symptoms

Symptoms -

• Files, Registry keys as detailed below.
• Outgoing messages matching the characteristics described below.

Method of Infection

Method of Infection -

Mail Propagation
The worm constructs email addresses using its own SMTP engine. Email addresses are harvested from files with the following extensions on the victim machine:

• .HTM
• .HTML
• .TXT
• .OCS
• .TBB
• .EML
• .DBX
• .MBX
• .NCH
• .MMF

Harvested addresses are also used in spoofing the From: address of outgoing messages.

Messages are constructed with varying subject line, message body and attachment filename.

The subject line is chosen from one of the following:

• Happy Birthday
• I can't recall what happened but..
• I don't understand..
• Is this the Smallest C++ MassMailer???
• Shit happens...
• SoBig SoSmall
• Virus Alert: W32.Nodoom.A@mm

The attachment filename is chosen from one of the following:

• antiserum_1.exe
• documents.exe
• file.txt (many spaces) .exe
• myfiles.exe
• patch.exe
• pics.pif
• screensaver.scr
• weird.jpg (many spaces) .zip.exe

The message body is chosen from one of the following:

Installation
The worm copies itself to the system directory as CTSLS.EXE, for example:

• c:\WINNT\system32\ctsls.exe

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Ctsls" = C:\WINNT\System32\ctsls.exe

A base-64 encoded copy of the worm (7,618 bytes) is written to:

• c:\WINNT\system32\Ynit.tmp

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A