Windows worm weaves its way with search engines

Silicon Valley/San Jose Business Journal ^ | 2/17.05 | American City Business Journals Inc.

[TomServo]

Word of warning folks. And please - none of the OS/Browser war crap, OK?

[billorites]

Us Kapro users don't have these problems.

[anonymoussierra]

Thank you

[clyde asbury]

Any suggestions for those who may have caught it?

[GaltMeister]

A Kaypro! CP/M will rule the world someday!

Hey, at least CP/M users don't have to worry about these pesky Internet problems. :o)

[wolfpat]

Reformat.

[Tannerone]

I have JAVA.EXE on my system as follows:
---\program files\java\-- (3 ea)

---\system32\java.exe (1 ea)

I believe this has been on my "putter" for some time.

Thus, is this warning a hoax?

[billorites]

"Hey, at least CP/M users don't have to worry about these pesky Internet problems. :o)"

I spent over fourteen years on line using CP/M (BBS, Compuserve, etc.) before I ever made the leap to the WWW.

[decimon]

You still have to open an email attachment to be infected, right?

[boxerblues]

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html

When W32.Mydoom.AX@mm is executed, it performs the following actions:



Creates the following files:


%Windir%\java.exe
%Windir%\services.exe (this is a Trojan horse detected as Backdoor.Zincite.A)

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Adds the values:

"JavaVM" = "%Winir%\java.exe "
"Services" = "%Windir%\services.exe"

to one of the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

[LasVegasMac]

You still have to open an email attachment to be infected, right?

No.

Even thinking about it will trigger it!

just kidding....

LVM

[Disambiguator]

Thank you for correcting the error in the article. MyDoomAO has been around since the end of January. The AX variant was discovered today. Another example of sloppy reporting!

This is yet another email attachment virus, so if people were more careful about attachments these things wouldn't propagate so quickly. We just block any potentially harmful content at our gateway (not necessarily an option for home users, though).

[Johnny Crab]

New pest info:

http://www.datafellows.com/v-descs/mydoom_bb.shtml

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB

http://www.us-cert.gov/other_sources/viruses.html#III

If you already got it, cleanup when your virus software supplier releases a "patch". A disconnected USB hard drive that contains your vital files(backed up regularly) can be very useful if a nasty one starts munching on your PC.

[Ol' Dan Tucker]

Exactly. I got soooo tired of viruses, that I went back to my old Atari 800.

[Redcloak]

I have my backup system primed and ready...

[camas]

when they catch the guy that starts the worm they should give him life with no computer.

[decimon]

No.

Even thinking about it will trigger it!

Ooooohm!

Ooooohm!

[Paleo Conservative]

What web browser do you use?

[RadioAstronomer]

Hey, at least CP/M users don't have to worry about these pesky Internet problems

LOL! We hooked up a PDP-8 with an ASR-33 Teletype to the internet (used a unix box as an interface) just to see if we could do it. :-)

Was weird typing on the Teletype to navigate the net.

[Swordmaker]

I decided to revert to a guaranteed no-virus computer: