There is currently a DDoS attack against a number of websites, most of them belong to US and South Korea goverment sites. The malware involved in the attack has been detected as W32/Mydoom.HN.
The worm reportedly may be received as an email attachment.
Once executed, the worm drops the following files, according to Symantec:
* %System%\[RANDOM CHARACTERS].nls
* %System%\wmcfg.exe (detected as W32.Mydoom.A@mm)
* %System%\wmiconf.dll (detected as Trojan.Dozer)
The worm creates the following registry entry, so that it runs every time Windows starts:
NT\CurrentVersion\SvcHost\"wmiconf" = "WmiConfig"
It creates a new service with the following characteristics:
Service name: WmiConfig service
Display name: WmiConfig service
Startup Type: Automatic
The worm creates the service by adding entries to the following registry subkeys:
The worm drops Trojan.Dozer, a distributed denial of service (DDoS) Trojan, and W32.Mydoom.A@mm, the component that sends out the emails with W32.Dozer attached. All of these components work together to perform the DDoS attacks and spread through email.
South Korea's spy agency suspects North Korea is behind the series of attacks that have triggered Web site outages in South Korea and the United States.