* virus definition (intelligent update program) 65438+20041October 26th.
Threat Assessment * Breadth Level: Low
* Number of infected people: more than 1000.
* Number of websites: more than 10
* Geographical distribution: high
:: Threat Suppression: Simple
* Clear: medium * Damage degree: medium.
* Mass e-mail: sent to the e-mail address found in the specified file set.
* Reduced performance: Reduced performance.
* Security settings are compromised: unauthorized remote access is allowed. * Distribution level: high.
* E-mail subject: different.
* Attachment name: variety with extension. pif,。 SCR,。 exe,。 cmd,。 Bats or ... Zipper.
* Attachment size: 22,528 bytes (if there is any change
* Port: TCP 3 127-3 198 at W32. Mydoom.A@mm, the following operations will be performed: HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \ explorer \ comdlg32 \ version.
HKEY _ Current User \ Software \ Microsoft \ Windows \ Current Version \ Explorer \ comdlg32 \ Version 6. Search email address *. Files with the following extensions.
*. shh
*. Server-side programming language (abbreviation of professional hypertext preprocessor)
*. Poplar
* .dbx electronic frequency divider
* .tbb
*. (with Asia de VelopmentBank) AsianDevelopmentBank
* .pl
*. Western Aphasia Complete Test
*. textfile (textfile)
Note: It ignores addresses ending in. edu。 Sender: It may be a disguised sender address.
Theme:
One of the following:
test
hello
hello
Mail delivery system
Mail transaction failed.
Server report
condition
mistake
Text:
One of the following:
Mail transaction failed. Some messages are available.
This message contains Unicode characters and has been sent as a binary attachment.
This message cannot be expressed in 7-bit ASCII code, and has been sent as a binary attachment.
Attachment:
One of the following:
document
Readme file
document
text
document
data
test
news
body
note:
Attachments may have two suffixes. One of the suffixes can be one of the following:
. Suffix of html file
. Textfile (textfile)
. document
Worms always use one of the following suffixes:
. pif
. Silicon Controlled Rectifier (SCR)
. Extensions of executable programs
. Coal mine management bureau
. bat
. Zip (This is a. zip file, which actually contains a worm program. The name of the worm program is the same as the file name of this. Zipper. )
If worms use. Exe or. Scr is the extension, and the icon displayed is as follows: a copy to Kazaa download folder:
* winamp5
* ICQ 2004- Final Edition
* activate _ crack
* strippers -2.0bdcom_patches
* rootkitXP
* office_crack
:: Nuke 2004
Use one of the following as the extension:
*. Program information file
*. Silicon Controlled Rectifier (Silicon controlled rectifier)
*. bats
*. Extensions of executable programs
Intrusion alarm
Symantec released the intrusion alert 3.6W32 _ novarg _ worm policy.
Symantec hunt
Security update 16 has been released to provide signature for W32. Back door activity of mydoom.a @ mm.
In addition, Symantec manhunt 2.2/3.0/3.01customers can use the following signatures to detect denial-of-service attacks against www.sco.com. This signature helps identify the computer that made the request.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Warning TCP any any-& gt;; any 80(msg:W32 _ Novarg _ SCO _ DOS; Content: get/http/1.1| 0d0a | Host: www. sco。 Com | 0d0a0d0a | Offset: 0; dsize:37; )
* * * * * * * * * * * * EOF * * * * * * * * * * * * * * * * * * * *
For more help on how to create a time user signature, please refer to Manhunt Administration Guide: Appendix A Custom Signature for Mixed Mode. Appendix a custom signature of mixed mode.