Details
Worm.Win32.Datom
This is a network worm. It replicates via shared network resources. The worm consists of 3 different files:
MSVXD.EXE
MSVXD16.DLL
MSVXD32.DLL
The first component, MSVXD.EXE activates the worm by loading the MSVXD16.DLL library. In turn, MSVXD16.DLL loads the MSVXD32.DLL component, which performs the worming operations.
Replication
The worm searches for available network resources and tries to connect to their host computers. If the connection has been successfull, the worm then searches for a shared directory that appears to be the Windows directory: it tries the “WinNT” name, and also tries to read the “WinDir” section in the MSDOS.SYS file (if it exists and is available). Then the worm copies all its components to the remote Windows directory, and then sets MSVXD.EXE up to start with Windows automatically: if there is file called “Win.ini” in the remote Windows directory, it writes “MSVXD.EXE” string in the “Run” section of this file, otherwise it creates a link file pointing to MSVXD.exe and called “VxD Manager.lnk” in the common (”All users”) Startup directory on the remote computer.
Other
The worm searched for the presence of the ZoneAlarm firewall, and tries to terminate its active instances. It also tries to send “notification” e-mail messages to one of two different addresses that may belong to the author of the worm. These messages contain information about the infected system.
Related Posts
Worm.Win32.DatoIM-Worm.Win32.Bropia.aEmail-Worm.Win32.Bagle.cWorm.Win32.VB.aEmail-Worm.Win32.Sober
This entry was posted
on Monday, August 25th, 2008 at 11:50 am and is filed under Virus Threats.
Details
Worm.Win32.Datom
This is a network worm. It replicates via shared network resources. The worm consists of 3 different files:
MSVXD.EXE
MSVXD16.DLL
MSVXD32.DLL
The first component, MSVXD.EXE activates the worm by loading the MSVXD16.DLL library. In turn, MSVXD16.DLL loads the MSVXD32.DLL component, which performs the worming operations.
Replication
The worm searches for available network resources and tries to connect to their host computers. If the connection has been successfull, the worm then searches for a shared directory that appears to be the Windows directory: it tries the “WinNT” name, and also tries to read the “WinDir” section in the MSDOS.SYS file (if it exists and is available). Then the worm copies all its components to the remote Windows directory, and then sets MSVXD.EXE up to start with Windows automatically: if there is file called “Win.ini” in the remote Windows directory, it writes “MSVXD.EXE” string in the “Run” section of this file, otherwise it creates a link file pointing to MSVXD.exe and called “VxD Manager.lnk” in the common (”All users”) Startup directory on the remote computer.
Other
The worm searched for the presence of the ZoneAlarm firewall, and tries to terminate its active instances. It also tries to send “notification” e-mail messages to one of two different addresses that may belong to the author of the worm. These messages contain information about the infected system.
Related Posts
Worm.Win32.DatoIM-Worm.Win32.Bropia.aEmail-Worm.Win32.Bagle.cWorm.Win32.VB.aEmail-Worm.Win32.Sober
This entry was posted
on Monday, August 25th, 2008 at 7:50 am and is filed under Virus Threats.