Alias: I-Worm.Nodoom (Kaspersky)
Published Date: 2/16/2004
Last Modified: 2/16/2004
Win32.Nodoom.A is a worm spreading via e-mail. The worm has been distributed as a 5,568-byte, FSG-compressed, Win32 executable.
Method of Installation
When the worm is executed, it copies itself to the System directory as ctsls.exe and modifies the registry in order to execute at the next system re-start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ctsls = "%System%\ctsls.exe"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Also, the worm creates the file Ynit.tmp in the System folder, which is a 7,618-byte, Base-64 encoded copy of the worm.
Nodoom.A creates the mutex: "Ctsls-1x8-MutextTIp" to make sure there is only one copy of the worm running at any given time.
The worm has been designed to run in January and February only.
Method of Distribution
Read more: http://www3.ca.com/virusinfo/virus.aspx?ID=38306
Enter to win* a free holiday tech gift!
CNET's giving five lucky winners the gift of their choice valued up to $250!