Nemog/Gavvo Alert

infectionvectors.com

September 2004

Vector:             MyDoom/Sykel

Impact:             High (remote control of machine)

Nemog is dropped by MyDoom variants after the mass mailer infects a system. The Trojan allows the author to add links to a Favorites file, change the local host’s IE start page, connect to various IRC channels, and harvest configuration details from the infected machine.

Nemog contains a routine to generate fake email accounts for use in relayed email, undoubtedly for spamming purposes. The code allows for email relaying, killing antivirus/security software, and lifting local host information from the infected machine.

Since the code must be introduced via another worm, either MyDoom or its cousin Sykel, the threat of this Trojan is low. Ensure that email gateways are protecting the network against MyDoom and that machines are patched with MS 835732 (MS04-011, which contains the LSASS patch) to deflect Sykel.