Post W32.Novarg.A@mm & W32.Beagle.A@mm info here.

[AchTuNG!]

Anyone having heaps of fun with this munga yet? Security Response is slowly releasing info on it, but as far as I can see it's spreading like wild fire and some!

 

[’m‚³‚ñ]

Does this virus send a mail titled 'test' with an attachment doc.zip.scr? If so, my school account has been infected.

 

[AchTuNG!]

sure does. symantec has finally released beta definitions. I suggest people get em installed ASAP.

 

[Ice Czar]

W32.Novarg.A@mm Recommendations and removal instructions
threat metrics
High infection rates in the wild
damage medium (see below)
Distribution High

W32.Novarg.A@mm is a mass-mailing worm. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip. The worm also contains functionality to perform as a proxy server. It listens on all TCP ports in the range 3127-3198.

The worm will perform a DoS starting on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading.

Recommendations (the standard stuff)

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched

 

[Ice Czar]

In addition be advised

W32.Beagle.A@mm

threat metrics
High infection rates in the wild
damage low
Distribution High


W32.Beagle.A@mm is a mass-mailing worm that accesses remote Web sites and sends email to any addresses it finds using its own SMTP engine. The email has the following characteristics:

Subject: Hi
Filename: <Random>.exe
Filesize: 15,872 bytes

The worm will only work until January 28, 2004 (See Note in step 1 in the "Technical Details" section below).

Some customers have reported that Trojan.Mitglieder.C has been discovered on computers infected with W32.Beagle.A@mm.

Symantec Security Response has developed a removal tool to clean the infections of W32.Beagle.A@mm.

 

[AchTuNG!]

Fanks Ice Czar..

 

[’m‚³‚ñ]

Wow, it's nuts.

 

[AchTuNG!]

My NAV isn't detecting these emails as viruses yet. be aware of this!

 

[’m‚³‚ñ]

Originally posted by AchTuNG!
My NAV isn't detecting these emails as viruses yet. be aware of this!

As soon as I saw the attachment, I knew what it was. I think this virus has already damaged the SOU mail server. I got some funky garbled messages including one from AOL's mail daemon.

 

[AchTuNG!]

Originally posted by ’m‚³‚ñ
As soon as I saw the attachment, I knew what it was.

But ofcourse. I'm just a little concerned about the monkies that work here. no probs yet.

 

[’m‚³‚ñ]

Originally posted by AchTuNG!
But ofcourse. I'm just a little concerned about the monkies that work here. no probs yet.

I can see what you mean. I locked my mom's email account down, just to be sure.

 

[mcryptic]

http://www.f-secure.com/v-descs/novarg.shtml

Mydoom is a worm that spreads over email and Kazaa p2p network. When executed, the worm opens up Windows' Notepad with garbage data in it. In emails, it uses variable subjects, bodies and attachment names. It also attacks SCO.COM with a DDoS-attack.

The worm opens up a backdoor to infected computers. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE




I'm a bit torn on what to think about this virus, on one hand it will ddos sco, and on the other it will probably slow down the internet, and waste bandwidth on my email server...

 

[’m‚³‚ñ]

Originally posted by mcryptic
http://www.f-secure.com/v-descs/novarg.shtml

Mydoom is a worm that spreads over email and Kazaa p2p network. When executed, the worm opens up Windows' Notepad with garbage data in it. In emails, it uses variable subjects, bodies and attachment names. It also attacks SCO.COM with a DDoS-attack.

The worm opens up a backdoor to infected computers. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE




I'm a bit torn on what to think about this virus, on one hand it will ddos sco, and on the other it will probably slow down the internet, and waste bandwidth on my email server...

It's sure fubared my email account, on my local ISP and at SOU.

 

[’m‚³‚ñ]

Okay... Whatever is going on at SOU, there are so many emails going around, I cannot resolve the server anymore. My ISP has done something or another... My service was temporarily disabled earlier this evening, I'm assuming they put up software to block this virii's propagation. I hope things don't get worse here... I need to email a teacher about something importatnt, I might not pass a class this term otherwise.

 

[XOR != OR]

This is a decent wake up call to those of you running a mail server:

Filter your attachments. Do not allow executable attachments through. Make sure your mail is scanned for viruses at the gateway.

 

[CypressTree]

I have received over 20 infected e-mails in the last 5 hours on my work e-mail account. Doesn't look like my company's filters have caught on to this virus yet.

CNet is reporting that the virus is spreading 3x faster than Sobig.F did:

http://news.com.com/2100-7349_3-5147605.html?tag=nefd_lede

Ugh... well, 2004's off to an exciting start...

 

[’m‚³‚ñ]

Originally posted by CypressTree
I have received over 20 infected e-mails in the last 5 hours on my work e-mail account. Doesn't look like my company's filters have caught on to this virus yet.

CNet is reporting that the virus is spreading 3x faster than Sobig.F did:

http://news.com.com/2100-7349_3-5147605.html?tag=nefd_lede

Ugh... well, 2004's off to an exciting start...

Umm? I've gotten a couple THOUSAND mail messages from the SOU server. I have to empty my mailbox every 15 minutes or it gets completely full (10 megs).

 

[Mister Natural]

Yeah I had 3 or 4 "mail delivery error" emails at work this morning. I thought someone was trying to use my email address as a spam host at first. I also noticed NAV CE (our office AV product) had an update this morning which I thought was odd for a Tuesday. I knew then something new was out.
Beware of "mail delivery error" emails and of course DO NOT OPEN EMAIL ATTACHMENTS. Also be on the lookout for emails with "status" or "test" in the subject line.

 

[Ice Czar]

hmmm...11 emails, 1 spam, 10 valid, no errors or attachments
and if my sister would stop CCing my address over half the web Id get rid of that damn spam too

checked my drop dead box too
6 new spam mails (normal)

looks like my isp has it under control

 

[Ice Czar]

I think you might have a fundemental misconception of the blackhat "community"

which more often than not is simply criminal, or just script kiddies
most attacks originate from contries that are not members of the G7, and while they have no love for Micro$oft, they are just as likely to attack NIX systems.

Its the huge growth of inexperienced users, on broadband connections, running Windows that provides the largest target to take advantage of however.

 

[AchTuNG!]

Anyone seen there folder list in outlook disappear. (please don't tell me how to bring it back...)

 

[Ice Czar]

well Im still clean, and havent recieved any "unusual emails"

a few excerpts

http://www.informationweek.com/story/showArticle.jhtml?articleID=17501375

"On Tuesday afternoon, Web-site performance-monitoring company Keynote Systems Inc. reported that the effects of the MyDoom worm had dragged down Internet performance. According to the company, Web-page downloads were delayed up to 3.9 seconds.

Antivirus companies warn that MyDoom spreads through peer-to-peer networks and by sending E-mails with random subject headings, including "Hello." MyDoom also carries E-mail attachments with various file names, including body.zip, text.zip, and readme.zip. The worm also opens a port to listen for potential future instructions.

Upon activation--usually when a recipient clicks on an E-mail attachment--the rogue program searches though address books and sends itself to E-mail addresses it finds. It chooses one as the sender, so recipients may believe the message comes from someone they know.

Unlike other mass-mailing worms, MyDoom doesn't try to trick victims with promises. Rather, messages carry innocuous-sounding subject lines, like "Error" or "Server Report" and messages in the body such as "Mail transaction failed. Partial message is available."

keep in mind MyDoom\Novarg aint the only game goin right now

Hat Trick of Worms Attacks Internet
"Antivirus companies claim it's "the fastest moving worm ever." The flood started over the weekend, actually, as a series of infected e-mails started showing up in my in-box. On Monday, everything went kablooey—with about 10% of sent and received e-mails coming from one of three different worms. MyDoom turned out to be the worst, causing corporations to unplug their e-mail systems from the Internet and clogging in-boxes worldwide. We've been covering the latest killer worms—analyzing all three for info on how they work and why. Our special report keeps you updated on just how overwhelmingly the virus is spreading and explains how to spot and disinfect machines that have been compromised. "

 

[Ice Czar]

well at least this is making some entertaining quotes

http://www.eweek.com/article2/0,4149,1473101,00.asp

"However, IT managers must assume that their clients are dumber than dirt about this antivirus stuff and will run whatever executable code strangers send them. "

"Worse, one vendor told me today that whenever one of these attacks happens a number of people intentionally run the virus—knowing it's a virus—just to see what happens. This must be the digital equivalent of a kid wondering what happens when her or she puts their fingers in an electrical socket."

well I havent got a copy to try that with, otherwise I probably would (I was that kid )

Be adviced the MyDoom varient seems to prevent access to many Anti Virus sites for the patches\definitions

 

[XOR != OR]

Originally posted by John-K
I just finished updating my virus software, when I suddenly got very angry. Sorry to rant, but I really want to say my piece.

Speaking as an everyday user who uses his computer for the most mundane of things and has had to suffer through a virus (though practicing good Internet habits), I have to say that I am absolutely sick of all this: virii, trojans, whatever. I understand that some people have some kind of vendetta against M$, but the only people hurt by this malicious activity are end users -- people who are simply interested in being productive with their computers; who want an OS that has a wide variety of software available; and need to get started with a minimum of fuss.

You are operating under a misconception: It's not that MS is hated ( although it is ), it's that they make an easy smoke screen for what the virus is doing AND it has the largest uninformed user base out there. That makes for one hell of a target. Were linux or apple the common desktop out there, you'd see virii attacking them more.

I'm not talking about learning Linux or whatever. I am not interested in having to cull through volumes of text and FAQs; and Google-ing for every scrap of information necessary to understand what the heck these OSes are and how to make them do what I need them to do. And that's not because I am too lazy; I do do my homework when I can, and actually, I like tinkering around with the hardware every now-and-then. It's just that it's not worth it to me overall, because I also have family and work commitments, as well as personal goals -- all areas of my life that I need to devote significant amounts of my time.

Again, you are sadly misinformed. I installed a linux box in ~25minutes, from boot up to login with 0 knowledge. At that point, I could surf the web, get my email, write letters, ect...

In fact, that statement regarding time committment is representative of all people!! It's all such an incredible waste!

Here's something you might want to think on: The reason most people dislike MS is because they WASTE OUR TIME with their foolishness

And now, Oh God, I have just downloaded 29 pieces of spam, one of which is a fraud-con e-mail posing as an Earthlink notice.

If you want to get angry at someone and do something about it, I suggest you take a close look at the work your representitive is doing right now with technology.

There's enough anger there to last me a lifetime.

 

[XOR != OR]

Originally posted by John-K
What was the point of this smug rejoinder? I already said that I have no love for M$.

You stated that the reason you don't want to learn linux was it wastes time. I was pointing out that one of the largest offenders to wasting my time was MS. Of all the comments in that post, you think that one is smug?

I'm not sure what you're getting at.

You are angry at your time being wasted, you stated that. Well, the people that can and should be doing something about that, our elected officials, are too busy chasing the buck to do their job. If you want to be angry with anybody, it's them you should ultimately hold responsible.

No, I am not saying we should let virii writers go, I have all sorts of interesting ideas we could do to them, most of them including eletrodes and parianna. But those that hold the companies responsible for bad bussiness practices, which ultimately effects the software ( sadly ) are not actually holding them responsible.

You know what? Screw it, it's not the elected officials fault, it's ours for being cattle and buying crap software, time and again.

Anyway, I'm in a mood and this is OT anyway.

 

[Ice Czar]

per John-K's request Ive deleted his posts

 

[mcryptic]

so far this virus hasn't been much a of problem for me, i've only received about a dozen emails at my webmail account since monday, and only one at my main email server. Its not nearly as bad as sircam was, sircam gave me ten times the amount.