Slashdot Mirror

← Back to Stories (view on slashdot.org)

Today's Windows Virus - MyDoom / Novarg

Posted by timothy on from the are-you-virus-capable dept.

Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.

16 of 847 comments (clear)

  1. Reuters Story by ThousandStars · · Score: 5, Informative

    Here's another story.

    Funny that I come to submit the article and already find it at the top of the page...

  2. ClamAV to the rescue by Jibber · · Score: 5, Informative

    Hi,

    I believe ClamAV was the first virus scanner to pick it up and because they couldn't find any others that had picked it up and named it, they called it "Worm.SCO.A". Gotta like Open Source.

    Oh, and I've blocked over 3000 copies of the worm in the last few hours with clamav.

    Jib

  3. ClamAV already has updated definitions. by Anonymous Coward · · Score: 4, Informative

    Unlike some other *cough* commercial virus scanners. If you have your MTA setup properly with clamav (like qmail+qmail-scanner), a simple "freshclam --stdout" will do, then watch the "SCO.A" log messages scroll on by.

  4. Re:DDOS SCO by tomhudson · · Score: 3, Informative
    Ok -- which one of you wrote this.....

    Nobody from here - we would have just done it with a perl script or some javascript embedded in an html emails' <body onload="melt_the_litigious_bastards_servers()"> tag.
    Hmmm .... now let's see...

  5. Re:Serves people right.. by swordboy · · Score: 5, Informative

    Who the hell is gonna open a 3kb executable from kazaa?

    The same idiots who install it.

    Kazaa is not secure. It installs spyware that monitors keyboard activity. If you type an email address on a PC that has Kazaa, that address will be spammed into oblivion. Webshots does the same thing. Not directly, but through one of many third party applications that are installed silently.

    --

    Life is the leading cause of death in America.
  6. Procmail to the rescue by Wee · · Score: 4, Informative
    A few people get mail off my personal domain. They're all Windows users. I added this to my .procmailrc file:

    :0 B
    * ^ *Content-Disposition: attachment;
    * filename=".*\.(pif|exe|scr|zip|bat|cmd)"
    /home/wee/mail/virus

    Looks like it works:

    wee@foo:~$ grep 'mail/virus' .procmaillog | wc -l
    21

    Not terribly effcient, but every little bit helps.

    -B

    --

    Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.

  7. Also breaches security by Anonymous Coward · · Score: 3, Informative

    "W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer."

    From www.sophos.com

  8. Re:Virus... by interiot · · Score: 4, Informative

    Well, it allegedly opens a backdoor on port 3127, so I'd think you'd either want to not run it at all, or make sure you will be able to keep your firewall up until such time that you verify the virus is completely removed from your system.

  9. Re:Dark Side of Linux Developers by Zutroi_Zatatakowsky · · Score: 4, Informative

    Air-traffic control systems don't run no Linux. They either run QNX or SCO.

    Linux in Air Traffic Control

    --
    All Hail Discordia. Hail Eris. Fnord.
  10. Working (and selective) procmail recipe by Rex+Code · · Score: 3, Informative
    OK, that first attempt was useless. But after a little debugging here's one that seems to be doing the trick. If there are filenames that I haven't seen yet it's easily extended. It's also not so brute force as to toss out all zip attachments -- only ones with the "poisoned" filenames:

    :0 B
    * ^ *Content-Disposition: attachment;
    * filename="(message|body|document|doc|data|readme|t ext)\.zip"

    /yourlogdir/SPAM-VIRUSES-NOVARG

  11. Funny things on the inside by ghostis · · Score: 4, Informative

    Well I have my copy! Arrived in my fiancee's inbox this afternoon. She helped me analyze it in Linux over the phone. (She's a biblical scholar when she's not hacking. What's not to love? :) Well we ran strings on it, among other things: it contains a few nuggets:

    o Part way down the strings output there the following:

    (sync.c,v 0.1 2004
    1/xx
    : andy)

    Weird.

    sync.c: I believe is a linux kernel file? Maybe it was written on Linux? Who knows.

    o Further down is:

    notepad %s
    Message

    This is consistent with the notepad screenshot on McAfee.com

    o Then some more weirdness: /abcd
    ghijklm
    pqrstNwxyzg
    ABCDEFGHIJKLMNOPQRSTU VWXYZ

    I guess this cracker knows the alphabet. I am impressed!

    o More funniness:

    Sack_i
    smith[C
    &joe?neo/

    Matrix fan?

    o gold-Pxc

    I guess this is reference to the electronic banking system it attacks

    o Further down:

    USERPROFI

    Going for the registry I see...

    o More sequences

    ASCII
    r=it f
    0aA!0123456789+

    My guess is that the sequences are character food for the random message generator

    o Towards the end:

    Libra

    I guess this hacker is indecisive ;-)

    o Finally, it wraps up with a list of windows dlls and function names.

    -ghostis

    our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted. lameness filter food

    --


    Computer Science is all about trying to find the right wrench to bang in the right screw. -T.Cumbo?
  12. Re:This was probably done to defame us by Guppy06 · · Score: 5, Informative

    "We're about the last people who would be out writing Windows viruses."

    Try reading at -1 every once in a while.

  13. Re:A threat? Really? by Beryllium+Sphere(tm) · · Score: 5, Informative

    The social engineering on this one isn't half bad.

    The first one I got looked like a bounce message, with text saying there were some non-7bit characters so the full message would be in an attachment.

    The payload inside the .zip file was "readme.txt%20%20%20%2020%20%20%2020%20%20%20.scr" , which shows as "readme.txt" in the Windows GUI.

    Believe it or not, there are mailers in the Windows world that send bounces with the original message as an attachment. This worm could easily fool someone who wasn't technical or wasn't paranoid.

  14. It's not the usual cast of idiots by AndroidCat · · Score: 3, Informative

    The executable is way too small (22,528 bytes compressed vs. 150k+ for most of the usual trash by spammers). I certainly doubt it was written in VB.

    --
    One line blog. I hear that they're called Twitters now.
  15. Re:Finally! by vanillaspice · · Score: 4, Informative

    Actually, if you really want to know where you can get it, the virus deposits a text file, very cookie-like, in a Windows user's Temporary Internet Files folder that points to a site called http://russnelson.com which ostensibly belongs to a man who works for a software company in upstate New York. And if you really want to download that cookie (and potentially the .scr file), you can go to russnelson.com/mydoom.

  16. Re:Call me stupid, but... by BenjyD · · Score: 3, Informative

    I doubt you've got the virus. The virus has probably used your email address as the return address, so that you get the bounces despite not having the virus. I've received lots of virus warning bounces, mostly sent to "helen@benroe.com" and "serg@benroe.com", which aren't email addresses I use (obviously).