Today's Windows Virus - MyDoom / Novarg
Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec
and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.
What leads you to believe any Linux developers is behind this? I say it is just as likely to be someone who hates linux and wants to make it look bad (out of work MCSE maybe? :) ). Possibly even SCO themselves, would that really be that strange given everything else that have done up to this point.
Strike that, it would be strange if SCO still had anyone working for them that could code.
Finkployd
Our virus filtering usually quarantines around 40 messages per hour. Right now we're seeing over 1600 per hour.
At least the MRTG graphs are pretty.
What leads you to believe this is someone from the Linux community? I say it is equally likely someone who hates Linux and wants to make it look bad. Out of work MCSE? SCO employee (assuming they still have people there who can code)? Who knows. Given that this whole SCO mess has been nothing more than a PR war I wouldn't put it past them to have someone do this to improve their image.
Finkployd
http://vil.nai.com/vil/content/v_100983.htm
(Scroll down for the download links to the updates), or the 4319 DAT/SDAT when it becomes available.
UNIX? They're not even circumcised! Savages!
that aims to define exactly who it is that is opening email, saving attachments, opening the attachment, running the payload, and is not using AV software. I mean that is a lot of work by someone with at least *some* clue about email. Who is doing this? Is there a profile? Is it generally a home user, or generally at a public school? Is it that there is a subset of people that for their own sick reasons *always* runs infection attachments just to watch the LAN go down so they can go home early? I'm becoming suspicious [tinfoil hat goes on and is pulled down hard]
=^..^= all your rodent are belong to us
I think www.sco.com as we know it will probably have traffic from this virus FOREVER. Virii don't go away. Hell, I still see hits from code red in my logs. How long ago was that? SCO is looking at the very least a week of MAJOR traffic, more likely at least a month. Then if somehow the virus dies down a bit, they will probably see a couple hundred megabytes of virus traffic a day at least.
In fact, unless I miss my guess, this is how it infects you:
1. Receive mail.
2. Open mail.
3. Double-click attachment. This opens the archive.
4. Double-click the payload inside the attachment, thus executing it.
5. Get infected. Lather, rinse, repeat.
So, in order to get infected, you have to open a suspect file inside a suspect archive inside a suspect e-mail.
And it's spreading like wildfire. I was going to ask "are people really this dumb", but I guess the empirical data available makes that question moot...
-HubCity
Altrok & Altrok Radio
if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.
if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.
if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.
Sure, I can write a fake su or sudo in three lines of bash script. The way beginner Linux distros sudo their way to hell, zillions of users will be affected by this the day Linux gets to the vast unwashed desktop masses.
Because clicking on an attachment shouldn't do anything. Only a fascist pig with a read-only mind would think it even a remotely good idea for an email client (note: "email client", as in handles email. The term, "program launcher" isn't expressed or implied anywhere in there) to load and launch an attachment.
There are very narrow cases where it's okay to do something. If its MIME type is text/plain, it's okay to display it. If it's MIME type is text/html, it might be okay to display it (providing you block JavaScript execution). If it's a media file (image/whatever, audio/whatever), then it's probably okay to launch a viewer or display it inline. If it's a compressed archive, it's probably okay to display a listing of its contents (automatically unpacking it is right out). And finally, if it's executable, a warning should be displayed before you allow the user to save -- not launch, save -- the attachment.
Always believe the MIME type. If the filename extension and the MIME type conflict, and you are saddled with an OS designed by orangutans where the three character extension of the filename determines its type, then append to the filename the OS's local extension representing that MIME type before handing off for subsequent interpretation.
Despite how many times The Finest Engineers Working In The Industry have fscked this up, this is not, and never has been, rocket science.
Schwab
Editor, A1-AAA AmeriCaptions
Bruce
Bruce Perens.
What if a virus were written by the RIAA? It could plant itself, activate when it sees a violation, and report the user over the internet.
Similar to the way the FBI operates. Only the FBI (usually) uses warrants.
Well, as proprietor of some anti-SCO websites, let me weigh in here:
/., and what do I see? A virus attacking SCO!
.pif, .scr, .zip file extensions.
.pif or .scr. Until the antivirus
companies release the definition files to detect this new virus, we are
banning the .zip extension also.
As soon as our vendors update the definition files, we will remove
the ban on the .zip extension.
ARE YOU IDIOTS INSANE?
(FYI, I am a college student, U of W @ Madison) I didn't hear about this new virus until now. But at about 4:30 PM today, I get this email from an attractive, intelligent female friend of mine from high school. She goes to Knox College in Illinois. (Let's call her Kristin) The email is listed below in it's entirety, but basically it says watch out for this new virus. So I figure, OK, maybe some stupid Bagle (Beagle, whatever) virus variation has come out, and computer illiterate college students haven't figured out how to push the big Update button on their virus scanners. No biggie.
So late evening, around 6:30 PM, I go to a student government meeting (contrary to published doctrine, some college students actually give a shit about what's happening in the world.) I get back, check
Now, I think everyone here knows I dislike SCO. I own websites that are anti-them (Check my sig, the scolawsuit.com link above, and Litigiousbastards.com linking campaign. But this is not the type of publicity we need. This gives SCO more ammunition, when it needs less. Guess what? The public equates viruses like this to terrorism. The average Joe Sixpack will think "Oh, this poor company's getting hurt by terrorism! These gosh darn Linux assholes are terrorists!" Can you say Guantanamo Bay?
If you want to DOS someone, do something constructive like sending an email to a Congressman/woman, donate to Groklaw.
(And yes, I must admit, and in the spirit of fairness, I was laughing out loud when I saw this article)
My friend's letter:
Hey everyone - Just something you might want to be aware of even with the virus protection software that you have. School is going well, and I am really enjoying myself here. I have a lot of work, but I am having fun. I even had a bat in my room, which was interesting. Ok, time to go back and do homework.
Kristin
=Original Message=
From: "M. Sean Riedel"
Date: Mon, 26 Jan 2004 15:59:33 -0600
A new virus, yet to be named, is spreading quickly and has slipped by many AntiVirus applications. If you have received a message with the following parameters, delete it immediately without opening the attachment. You will only become infected if you open the attachment.
The common factor in its profile is that it carries an unsolicited attachment. So far we have seen filenames of "body", "data", "document", "file", "glszfj", "message", "readme", "test", "text", "vgsu042a", and "vncexdl" attached to messages all with either the
We already ban extensions of
As always, if you receive messages with attachments from anyone you do not know or unexpected attachments from people you do know, don't open them. If the message is from an unknown party, just delete it. If it is from someone you know, verify with that person that the attachment was intended since many viruses will forge the sender.
M. Sean Riedel
Computer Center
Knox College
Did anyone bother to read the details?
SCO hasn't been attacked yet. It doesn't kick in until Feb 1st and then it doesn't even go for two weeks.
How kind of virus writers to put a time cap on how long it does damage.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
When I first heard about this, I had to laugh out loud... "All targeting www.sco.com? Ha!"
Then, the phone rang, and I had my first 2 computers infected on my network. It was 3pm, and it was first discovered at about 1pm. (PST)
This is no laughing matter.
Who ever wrote this was quite the skilled assasin: Works on 95 thru XP machines? Transports by Mail with its own SNMP deamon? Spreads over Kazaa? This is very well planned.
The thought that a Pro-Linux activist did this discusts me. There is no way this can be good for linux's fight against SCO. Hopefully it can be proved to originate from somewhere, because if it comes from a linux user, the linux comunity will damn him. If it comes from anywhere else, then the extra leverage on the SCO vs. Linux suit will be lifted.
Then we have the consperancy therorists: SCO wrote it themselves! Now that's funny... unless it turns out to be true.
I've even heard a guy who claimed that the anti-virus companies' employees write the viruses... eather with the companies' knowledge or not. He claimed that they did this to "keep the demand up for AntiVirus software." Now that's scary.
If I have anybody in the world to blame for this, I'd like to blame the following, who made this possible: 1. Microsoft and their horribly easy to infect OS and mail client. and 2. Kazaa for helping the comunity spread filth.
And SCO: I dissagree with your suit against Linux and Co., but you do not deserve this attack. The rest of the world also does not deserve to help clean up this mess which you are the obvious target.
*Sigh*... I'll be up late getting ready for tomarrow's onslaugt of computers to disinfect.
Pathway
I un-UPX'd the virus and looked at the text strings. It struck me as a little odd that those related to email headers are ROT-13'd (no kidding, they really are). I've looked at a lot of email trojans, and this is the first time I've seen that done. Here's a sample:
K-ZFZnvy-Cevbevgl: Abezny
K-Cevbevgl: 3 boundary="%s"
Pbagrag-Glcr: zhygvcneg/zvkrq;
ZVZR-Irefvba: 1.0
unROT-13'd, it becomes:
X-MSMail-Priority: Normal
X-Priority: 3 obhaqnel="%f"
Content-Type: multipart/mixed;
MIME-Version: 1.0
Another ROT-13'd string in the virus:
FZGC Freire Fbsgjner\Zvpebfbsg\Vagrearg Nppbhag Znantre\Nppbhagf
decodes to:
SMTP Server Software\Microsoft\Internet Account Manager\Accounts
Overall, I get the impression that this is a one-shot by someone who isn't normally in the virus creation business, so to speak. It just doesn't "look right".
Anyone who's disassembled it have any comments on how it's constructed??
~REZ~ #43301. Who'd fake being me anyway?