Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Win32.Nodoom.A

Feb 16, 2004 12:58PM PST

Alias: I-Worm.Nodoom (Kaspersky)
Category: Win32
Type: Worm
Published Date: 2/16/2004
Last Modified: 2/16/2004

CHARACTERISTICS
Win32.Nodoom.A is a worm spreading via e-mail. The worm has been distributed as a 5,568-byte, FSG-compressed, Win32 executable.

Method of Installation
When the worm is executed, it copies itself to the System directory as ctsls.exe and modifies the registry in order to execute at the next system re-start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ctsls = "%System%\ctsls.exe"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Also, the worm creates the file Ynit.tmp in the System folder, which is a 7,618-byte, Base-64 encoded copy of the worm.

Nodoom.A creates the mutex: "Ctsls-1x8-MutextTIp" to make sure there is only one copy of the worm running at any given time.

The worm has been designed to run in January and February only.

Method of Distribution
Via E-mail

Read more: http://www3.ca.com/virusinfo/virus.aspx?ID=38306

Discussion is locked