Today's Windows Virus - MyDoom / Novarg

Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.

Finally!

[someonehasmyname]

Finally, a worthwhile virus!!

Re:Finally!

Is there a Linux port yet???

Re:Finally!

[MicktheMech]

Not quite. This virus contains SCO IP. The DDOS is actually infected host sending credit card info to pay SCO $699 for the license.

Re:Finally!

[cyril3]

Yeah right.

The last time someone told me I needed the latest virus patch I got into a shit load of trouble.

And they were from Microsoft.

You think I'm going to believe you. I hit that link and my soul belongs to some Romanian gangster.

I'm not that stupid.

Re:Finally!

[Joel+Carr]

You also need the Extra.DAT file which you can grab from here:

In case the site gets /.ed, you can download the Extra.DAT file from me using Kazaa...

---

Re:Finally!

[t0qer]

Finally, a worthwhile virus!!

Not when my come home from work stress release is playing quake3 with my bosses face skinned over all the models. The extra traffic across the backbones is going to make my ping go to hell!!!

*disclaimer*
I work for myself and I really play counterstrike.

Re:Finally!

[Geek+of+Tech]

So, uh where can I download a copy?

Re:Finally!

[IthnkImParanoid]

Check your email...I sent it to you (a couple... hundred... times).







---Note to John Ashcroft: the above was a joke.

Re:Finally!

[thedillybar]

This doesn't make open source look bad.

As far as I can tell, this virus is not licensed under the GPL, and I can't find the source for it anywhere...

Re:Finally!

[obeythefist]

Ahh, so the idea is, the virus infects Windows boxes, then sends data to SCO to tell them that it's a windows box, which frees SCO to sue *everyone* else who doesn't attack them with the virus, because they must be running Linux. And we all know who owns linux, don't we?

Re:Finally!

[dslbrian]

I think www.sco.com as we know it will probably have traffic from this virus FOREVER.

Which they will promptly PR-spin into a positive thing - "We are getting THOUSANDS of licensing inquiries EACH DAY!!" or "Our website has become one of the most POPULAR on the internet, obviously customers are very satisfied!"

Re:Finally!

[XO]

I still get a bunch of hits from Code Red in my logs, too.. from people on the same cable systems.. I'm collecting all their IP's , and am going to start a mass bomb of "NET SEND /DOMAIN:ip 'GET A GODDAMN ANTIVIRUS PROGRAM YOU FUCKING MORON'" ...

Re:Finally!

[Almond+Tree]

That's right! DDosing SCO is just plain wrong! And don't think about linking SCO here or the Slashdot effect will be mistaken for a virus DDOSing SCO.That would be a rotten way to treat a fine company like SCO.I wish Darl all the best of luck with all his endeavers at SCO. (After all - he'll need all the luck he can get with no viable product.)

Re:Finally!

[stfvon007]

I thought trojans were designed to prevent viruses, such as AIDS..... Oh wait, wrong trojan.

Re:Finally!

[Mr2cents]

I think I'm going to re-install Win98 on all my machines.. They have been Microsoft-free for the last couple of years, but this virus really is a killer app!

Re:Finally!

[praedictus]

...So I guess that www.sco.com will be back up by Feb. 13th... ...Unless you set the system clock back :P

For that matter beat the rush, and set system clock to Feb 1 today!!!

i'm not scared...

[edrugtrader]

i just got the patch off of kazaa... sweet jesus, just in the knick of time.

whew.

i was scared there for a ss.....[NO CARRIER]

DOS huh?

[Armethius]

"Second, it can perform a denial-of-service against www.sco.com" Will this be the first virus I willingly load on my machine?

Re:DOS huh?

[caluml]

Fair play to SCO - their site is still up, and serving pages. Must be running that excellent Linux operating system. They should get involved with that - maybe they could update their "Unix" with some of it's ideas? Hell, it's open source, so they could just cut and paste.

Seriously, what's the betting that the author reads Slashdot? High.

Re:DOS huh?

[bsharitt]

Damn it, they don't make enough Mac compatible viruses.

Re:DOS huh?

[PhxBlue]

Will this be the first virus I willingly load on my machine?

No, it'll be the second. You have to load Windows first.

Re:DOS huh?

[nocomment]

I thought that might be what you meant. Sorta like the honor system virus where when you get the email you just delete a bunch of random files yourself and forward the email.

Re:DOS huh?

[erobertstad]

Is it truly a virus when people infect their own machines? Speaking of that, where can i get ahold of this, I was stupid enough to actualy tell my friends all those good rules about 'not opening attachments'... sure they listen when a virus comes around that's actualy WORTH forwarding.

So I beg, could someone please send me a copy, my e-mail is sales@sco.com, please send ASAP. :)

Re:DOS huh?

[Nahor]

It's well known that Windows is not a virus (shamelessly copied from here)

1. Viruses are free.
2. Viruses can be gotten from any good bbs.
3. If detected soon enough, most viruses can be removed from your computer without a huge loss of data and time.
4. Viruses don't take up HUGE wads of disk space.
5. Viruses don't need 4meg of ram to run.
6. Viruses do something.
7. Viruses come in flavors, not just one-size-fits-all.
8. Viruses use the "cutting edge" programming skills to make themselves less noticable. (untill they are ready to be noticed)
9. Viruses don't have major bugs. (if they do, then they don't work, so they're not virus')
10. Viruses don't have three different sets of documentation that is all mixed up and wrong.
11. Viruses don't leak things to the press about the upcomming Jerusalem 95, to keep people from switching to Michelangelo/2 Warp or better yet, XJerusalem.
12. Viruses don't put out stupid two page adds in magazines centered around the march 6 "activate button".
13. Viruses arn't on every computer.
14. Viruses don't have stupid wizards.
15. Who cares if a virus is 16 bit, even though it is advertised as 32?
16. Viruses don't say that they are user "friendly", when they arn't.
17. Viruses can run on PCDOS without warnings.
18. Viruses when installing themselves don't try to send private info about your computer over the phone lines to microstoned-net.
19. Viruses install themselves.
20. Viruses don't try to push out all compitition. They just try to do their job.
21. Viruses maker's don't try to buy Intuit (makers of Quicken (wouldn't that be fun, America's biggest finacial software company owned by a virus maker))
22. Viruses don't invade and take over PC Magazine, filling it with 100% junk on Win95.
23. Viruses don't try to copy what Apple does.
24. There are programs you can buy, or get free to remove viruses.

Great!

[Idou]

"Second, it can perform a denial-of-service against www.sco.com."

How do I get it?

Re:Great!

[nocomment]

"Second, it can perform a denial-of-service against www.sco.com."

Initial investigation on the Snort mailing list, seems to suggest that it opens up 63 threads that request sco's index page once every 300ms.

I just installed it on all of my servers ;-)

Re:Great!

[Zutroi_Zatatakowsky]

I'm currently scrapping a perfectly fine Gentoo box to install Win98 on it. ;) Well, at least I'll be able to play Fallout 2 again, if that piece of code doesn't use 100% of my cpu.

Serves people right..

[Breakfast+Pants]

Who the hell is gonna open a 3kb executable from kazaa?

Re:Serves people right..

[TheOtherChimeraTwin]

Oooooh! Does drinking toner refills and spraying windex in your eyes give you SECRET powers?? I've got to go try that right away!

Re:Serves people right..

[cyril3]

I brought a new Iron the other day and in capital letters in the instruction book I was told to never iron clothes while I am wearing them and that while I could use the shot of steam while the iron was in an upright position I should not forget the previous instruction about not ironing the clothes I'm wearing.

I think perhaps the kind of people who would do that do not or cannot read the instruction book anyway but until you realize that you can feel a little unempowered.

Re:Serves people right..

[conan776]

Ooh! I've been drinking the windex and spraying the toner in my eyes. No wonder.

Re:Serves people right..

[johnalex]

Gives a new meaning to the saying, "never underestimate the power of stupid people in large groups."

DDOS SCO

[forsetti]

Ok -- which one of you wrote this.....

Re:DDOS SCO

I did. ;^)

Re:DDOS SCO

[caluml]

we're a bit short on the actually doing.

No, we sometimes sign petitions at petitiononline.com

Virus...

[pardasaniman]

Back in my day, viruses came in via the boot-sector of floppy drive. You actually had to know fudge to write one.

You yung whipper-snapper virus writers and your MS holes got it way too easy.

On one hand it seems to be written by the RIAA, on the other it looks like some linux loony, can it be both?!

Re:Virus...

[SiliconAddict]

Boot Sectors?! You guys had it lucky.

In my day we had to throw various insects into giant mainframe machines

Re:Virus...

[Haeleth]

Ah, but back when I was a lad we didn't have machines to do it for us - we had to catch viruses ourselves by coming into physical contact with infected tissue.

Re:Virus...

[smittyoneeach]

Tissue? Ohhh, how we would have wallowed in the luxury!
In in my day, single-cell organisms floated about in the primordial ooze, dreaming of the abacus, and hoping to even spot a loose piece of RNA, much less contact it.
And you try to explain *that* to the youth of today...

That's not a virus

[cdgod]

That's a message from God!

idiots.

[edrugtrader]

5 posts so far, and 3 of them are of the "I WANT TO PARTICIPATE IN A SCO.COM DDOS" variety.

people... that is illegal and not the way to win the fight.

i'd say more, but i have to go load that virus on my 3 other laptops.

Re:idiots.

[MikeXpop]

...that is illegal and not the way to win the fight...
--
WANT TO BUY ILLEGAL DRUGS ONLINE? - EDRUGTRADER.COM! [edrugtrader.com]

Hmm....

Re:idiots.

[Smidge204]

Trying to DDoS SCO is illegal? What about what /. been doing nearly every day?

Oops. I think I hear SCO lawyers slithering out back...
=Smidge=

Re:idiots.

[CGP314]

people... that is illegal and not the way to win the fight.

Tell that to SCO

--
In London? Need a Physics Tutor?

American Weblog in London

Looking for the virus writer

[RY]

To show that there are no hard feelings after the virus enterd my work network, I would like to invite the virus writer to play a game of baseball.

Just show up, I'll brng the bat!!!!!!!

Pro SCO PR? Do some counter PR

[Dark+Lord+Seth]

Attempt to enter some code into some random OSS project that DoSes www.kernel.org or www.gnu.org or something like that then make a big media spectable out of it. Reveal 'hints' that point to some SCO fanatic inserting the code. On that note, I think SCO is capable of writing a virus to DoS their own site just to get some good PR ammo.

It's true

[PatrickThomson]

It is DoS'ing SCO - a million slashdotters descend upon the SCO webpage to see if it still stands.

Re:SCO is down

[britneys+9th+husband]

Looks like you've figured out how the ddos works. Put "www.sco.com" in the virus, get it mentioned on Slashdot, and the /. effect takes down the site.

Re:Bad example...

[tomhudson]

It's NOT obvious that it was written by someone in the Linux community. If you look at who has the most motivation (ie: follow the money), it's certanly NOT the linux community. We know we're going to win, 'cause SCO is already pretty much discredited.

So who has the motivation? People who've shorted SCO stock and need it to fall, so they can cover their position. People who've invested in SCO and need a reason to sell off without explaining that they bought into something stupid. Not us.

Re:Bad example...

[BladeMelbourne]

is this really the way to fight against SCO?

Humour aside, if that was the intention of the virus, it should bring down the SCO email server (mail.sco.com) as well as www.sco.com. This would hurt sales and cause a major inconvenience.

SCO's lawyers are probably 'creating' a lawsuit as we speak - claiming the portions of the virus are SCO IP. (Which is just as believable as Linux containing SCO's code.)

SCO could also have written the virus - to hurt the image of their competition.

Re:DOS huh? - karma whoring

[chimpo13]

Here's the google cache of the sco site for when the virus takes over.

SCO, killing orphans and nuns since 1999.

Well...

[iswm]

No one likes virii... Then again, who likes the SCO either?

50 years in the future...

[darth_silliarse]

Grandfather (gruff Northern English accent): "In my day a virus was a proper virus, it destroyed your hard drive and wiped away your entire silicon existence but we held together lad, together"

Grandson (wide eyed): "Was that when you had keyboards granddad? Crikey. Pass the DNA-USB dongle over please..."

Why?

[Sycraft-fu]

Does the virus install it's source, whine about the GPL and insist on being called GNU/MyDoom?

Just thought I'd throw in a stray comment...

[shaitand]

I DO in fact have a paypal account and am willing to accept donations for my contributions to society.

Send donations to:
wenNOdoy@SPAMconsolidated.net

Ironic

[nurb432]

I hadn't seen one until I started reading this story on here... then I got 2....

Strange coincidence.

Amen!

[Bob+the+Hamster]

Amen to that! Stupid virus authors, giving a bad name to all us honest respectable SCO-haters... *grumble*

Re:A threat? Really?

[letdownjournals]

I always download the attachments that say "I love you."

Sure, it might be a virus... But I can't take the chance I might miss a secret admirer.

Re:A threat? Really?

[tilmanb]

> 1) It has a simple text message plus a binary payload attachment.
> 2) It uses no M$ exploits (patched or unpatched) to install itself.
> 3) It depends on someone opening the attachment to start an infection.

Compared to the real world this would be something like:
"Whoa! Theres a black, unmarked bottle on my doorstep that reads 'Returned to sender'. I am quite f*cking sure I did not send this bottle in the first place. So why don't I open and drink it? It can't be dangerous!"

Anybody with some common sense would not act this way IRL, but with computers its all different...

I pity the state of the union :-/

Re:Also arrives as a zipped executable!

[jfengel]

First you save the attachment.

Then you unzip it.

Then you execute it.

Why do the virus writers even bother writing code? If people are willing to do all that, it sounds like the next virus will consist solely of the text:

"Pick a friend at random. Go over to his house and bash his computer with a sledge hammer."

Re:port it to linux!

[pfleming]

ping www.sco.com
ping -f www.sco.com
or how about a crontab entry?

* * * * * wget -r http://www.sco.com /dev/null

Re:Oh no

[Progman3K]

>Now Darl seems to have some credibility with the Linux == terrorism threat.

No, he doesn't; it's a Windows virus, not a Linux virus.

Windows == terrorism

Proof that Windows is a danger to national and economic security.

the giveaway

[tacokill]

Alright. Now listen up. Here's the deal....and I'm not accusing anyone...I'm just saying...

"The worm encrypts most of the strings in it's UPX-packed body with ROT13 method,"


I *KNOW* it was one of you fuckers...

Re:the giveaway

[liquidweb]

They should have opted for something more powerful, such at ROT26.

I'm afraid this is more dangerous than we thought.

OBVIOUSLY, this is an attack my Al Queda operatives... now before you mod me down think about this.

By attacking MS and SCO, they have given both companies leverage against Linux and more FUD than they could create by themselves.

These terrorists obviously want the US government to back those companies and drive useful (i.e. robust, efficient and able to be used against them) software out of the market.

Once, SCO and MS run things in the US no one will be able to recieve any more useful information or get work done.

Not to mention the citizens of the US will be so mired down in our inefficient and secured through near martial law practices that they will be too apathetic to care, and too slow to react.

A brilliant masterstroke...

Ignores addresses containing .edu

Woot!!! I'm off the hook. I can let the AV Server slowly distribute the update through the week rather than panicking and running to every system to make sure it's up to date. Take that .com mies! :)

How I imagine things

[skinfitz]

it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis.

Cut to the labs of the antivirus companies:

Sir! The new virus seems to launch a DDoS against sco.com!

REALLY? Great work! Now .. lets take our time over this.. no need to rush things now is there? I mean - we wouldn't want to make a mistake or anything now would we?

Take a 2 day lunch.

Re:I would like to see a study done

who it is that is opening email, saving attachments, opening the attachment, running the payload, and is not using AV software. I mean that is a lot of work by someone with at least *some* clue about email. Who is doing this? Is there a profile? Is it generally a home user, or generally at a public school?

Well, so far, four people out of those allowed to send mass mailings to all Computer Science students at a Penn State branch. Glad to know my parents (and taxpayers, etc.) are getting their money's worth.

Re:This was probably done to defame us

[SlashdotLemming]

This was probably done to defame us

With 3 SCO posts a day, I already figured www.sco.com was under constant DOS from this community :)

Re:Funny things on the inside

[Odonian]

the sync.c,v line is, if i'm not mistaken, a CVS version header. Very likely a linux author. Now all we need to do is round up all the CVS using Linux hackers named "Andy"...

WooHoo

[SlightOverdose]

For the first time in my life, an email virus has actually ended up in my inbox.

*sniff*

Im so happy. Somebody actually has me in their address book. :)

How long before...

[graveyardduckx]

How long before SCO claims ownership over this code too?

Re:Finally! ...now for a bit of help...

[Dr.+GeneMachine]

Yeah, I suggest removing all CD/DVD/Floppy and whatever drives and ripping the network cable out of the wall. Better yet, disconnect the power supply... Voila - secure system.

Re:Amazing... and just plain wrong.

[nordicfrost]

I've even heard a guy who claimed that the anti-virus companies' employees write the viruses... eather with the companies' knowledge or not. He claimed that they did this to "keep the demand up for AntiVirus software." Now that's scary.

A good friend of mine works in the anti-virus industry. I asked him the same questions abous them making their own viruses to stay alive. His reponse was: "We still get enough business to stay alive from sircam and friends. If we wrote and published our own in addition, we'd be bigger than Microsoft now."

and of course an idiotic reply from MS.

[cabazorro]

and to ad insult to the inury a reply
from MS Expert Christopher Budd:
From the press:
Christopher Budd, a security program manager
with Microsoft, said the worm does not appear to
take advantage of any Microsoft product
vulnerability."
Squeeze me?
Baking powder?
Where does the adress books(key ingredient
to the virus transport mechanism) come from?
Unix PINE?
Gnome EVOLUTION?

talk about a moron from moronia!

off-topic note

[liquidsin]

Google now shows Caldera as the first hit for a search on "litigious bastards", while www.litigiousbastards.com (a site about SCO) comes up about five down. Go team!