Slashdot Mirror
Today's Windows Virus - MyDoom / Novarg
Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec
and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.
Finally, a worthwhile virus!!
Common sense is not so common.
i just got the patch off of kazaa... sweet jesus, just in the knick of time.
whew.
i was scared there for a ss.....[NO CARRIER]
MARIJUANA, SHROOMS, X: ONLINE?! - E
"Second, it can perform a denial-of-service against www.sco.com" Will this be the first virus I willingly load on my machine?
Who the hell is gonna open a 3kb executable from kazaa?
--
WHO ATE MY BREAKFAST PANTS?
Here's another story.
Funny that I come to submit the article and already find it at the top of the page...
Ok -- which one of you wrote this.....
10b||~10b -- aah, what a question!
Back in my day, viruses came in via the boot-sector of floppy drive. You actually had to know fudge to write one.
You yung whipper-snapper virus writers and your MS holes got it way too easy.
On one hand it seems to be written by the RIAA, on the other it looks like some linux loony, can it be both?!
5 posts so far, and 3 of them are of the "I WANT TO PARTICIPATE IN A SCO.COM DDOS" variety.
people... that is illegal and not the way to win the fight.
i'd say more, but i have to go load that virus on my 3 other laptops.
MARIJUANA, SHROOMS, X: ONLINE?! - E
"Second, it can perform a denial-of-service against www.sco.com."
;-)
Initial investigation on the Snort mailing list, seems to suggest that it opens up 63 threads that request sco's index page once every 300ms.
I just installed it on all of my servers
/* oops I accidentally made a comment, sorry */
Second, it can perform a denial-of-service against www.sco.com
Great. This will give SCO some good PR ammo. Thanks guys.
Obviously, SCO has many ennemies. Most of them are probably nix users and the public knows that. If we want to have the public favor OSS, reputation is also important.
Just my 0.02$
DrkBr
Think about it. Until now, the Linux community has seemed very innocent over this whole issue. It's simply a matter of a company trying to oppress people for it's own gain (at least in the courts' eye). When people start doing illegal things such as writing viruses to get back at SCO, on the other hand, the Linux community loses much of its innocence. Look beyond the surface; this is a big PR hit for the Linux community. Remember the debate when SCO was DDoSed? This is the same thing, but much worse, and on a larger scale. Writing a virus in itself is illegal, given their nature, and a DDoS is also illegal (I'm not counting Slashdottings and the like).
Hi,
I believe ClamAV was the first virus scanner to pick it up and because they couldn't find any others that had picked it up and named it, they called it "Worm.SCO.A". Gotta like Open Source.
Oh, and I've blocked over 3000 copies of the worm in the last few hours with clamav.
Jib
Our virus filtering usually quarantines around 40 messages per hour. Right now we're seeing over 1600 per hour.
At least the MRTG graphs are pretty.
Why on earth would you assume that it would be some fringe Linux zealot? It could be a pissed off SCO employee, an investor, someone from IBM, any number of UNIX developers. SCO pissed off a lot of people and you don't actually HAVE to use Linux or even care about it to be smart enough to exploit a dumbass Windows user's gullibility.
The only thing more blatantly paranoid than YOUR comment would be to say that Darl himself wrote and released it to make people like you say things like that. Except, Darl is a meathead and I doubt he can spell his own name, so I doubt he wrote it.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
To show that there are no hard feelings after the virus enterd my work network, I would like to invite the virus writer to play a game of baseball.
Just show up, I'll brng the bat!!!!!!!
Unlike some other *cough* commercial virus scanners. If you have your MTA setup properly with clamav (like qmail+qmail-scanner), a simple "freshclam --stdout" will do, then watch the "SCO.A" log messages scroll on by.
Let me get this straight:
1) It has a simple text message plus a binary payload attachment.
2) It uses no M$ exploits (patched or unpatched) to install itself.
3) It depends on someone opening the attachment to start an infection.
And after all this time, people are still clicking on binary attachments? Great googly moogly. At least this sucker is only 20-40K. I'm sick of the 140-160K ones swamping my hotmail account. This one will barely be an annoyance.
To quote Evil Willow Rosenberg: "Bored now."
Design for Use, not Construction!
"Second, it can perform a denial-of-service against www.sco.com."
Even though I do not approve of SCO's actions against Linux and the open source movements, the spread of a DOS attack against SCO's website is downright wrong. You should be ashamed of the fact that you place yourself one the side of the people who think it is indeed funny to take a company's site down. Does it really matter if they are a hated group? A DOS attack is just plain wrong. In fact, it might be the lowest form of 'revenge' out there.
If you continue to support these crackers, then SCO is no longer the big Goliath, and SCO's allegations about the dirty open source movement have some validity. The statement, "hey, it's SCO" proves that we are indeed as worse as McBride. If we want to be victorious in the open source/Linux vs. SCO, then we must hold ourselves higher than supporting DOS attacks against SCO.
Absence of data, hmmm....You guys wouldn't happen to work for sco would you?
Now Darl seems to have some credibility with the Linux == terrorism threat. Good going, guys....
I'm not so sure, this was obviously done by a WINDOWS hacker. Most of the Linux hackers I know have no freaking idea about MS Windows internals and they honestly don't even care for that sort of "knowledge".
If programs would be read like poetry, most programmers would be Vogons.
Looks like you've figured out how the ddos works. Put "www.sco.com" in the virus, get it mentioned on Slashdot, and the /. effect takes down the site.
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
Humour aside, if that was the intention of the virus, it should bring down the SCO email server (mail.sco.com) as well as www.sco.com. This would hurt sales and cause a major inconvenience.
SCO's lawyers are probably 'creating' a lawsuit as we speak - claiming the portions of the virus are SCO IP. (Which is just as believable as Linux containing SCO's code.)
SCO could also have written the virus - to hurt the image of their competition.
that aims to define exactly who it is that is opening email, saving attachments, opening the attachment, running the payload, and is not using AV software. I mean that is a lot of work by someone with at least *some* clue about email. Who is doing this? Is there a profile? Is it generally a home user, or generally at a public school? Is it that there is a subset of people that for their own sick reasons *always* runs infection attachments just to watch the LAN go down so they can go home early? I'm becoming suspicious [tinfoil hat goes on and is pulled down hard]
=^..^= all your rodent are belong to us
To all the people who are busy vaulting onto their high horse, ready to scold the Slashdot community for our apparent complicity in this, don't bother. I get so sick of the holier-than-thou attitudes that people cop when the "Linux community" does something to "make Linux look bad".
First off, why do you assume that the person who wrote the virus is reading Slashdot?
Second, how do you know he or she isn't cackling with glee over the froth you guys are working up?
Third, what exactly the hell am I supposed to do about this virus, given that I didn't write it and most likely don't know the person who did write it? Feel bad for SCO?
If I were a script kiddie, this is exactly the effect I'd go for; try to piss off Windows users and Linux users all in one shot.
Face it, the "Linux community" is made up of lots and lots of different people, and it only takes a handful to make life harder for the rest of us. But scolding Slashdot isn't going to do anything other than make yourself feel good.
Jay (=
NEVER underestimate the power of human stupidity.
Browse at -1, because trolls are often the most creative part of
SCO just started yet another lawsuit, this time with Novell. Now the financial types could be recalculating how many quarters until SCO runs out of cash and has to cease operations. Let's not let them get distracted by stupid email tricks.
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr|zip|bat|cmd)"
Looks like it works:
wee@foo:~$ grep 'mail/virus' .procmaillog | wc -l
21
Not terribly effcient, but every little bit helps.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
First you save the attachment.
Then you unzip it.
Then you execute it.
Why do the virus writers even bother writing code? If people are willing to do all that, it sounds like the next virus will consist solely of the text:
"Pick a friend at random. Go over to his house and bash his computer with a sledge hammer."
Then you're obviously failing to communicate to your mother the gravity of the situation. In all the years my mother used a Windows machine her computer did not have one virus. The rules are very simple. I also have no trouble at the office. With the exception of the H.R. guy who must open attachments (primarily Word documents) in order to read people's resumes it's been a long time since we had any viruses running on any machines in the Hampton office. Furthermore, through a mistake either my boss or I had made we hadn't set his machine to update virus definitions automatically so I give the H.R. guy a lot of credit for having avoided viruses without it.
It certainly doesn't hurt to have a Symantec Anti-Virus Corporate Edition and to be running Novell GroupWise instead of Microsoft Outlook^WOutbreak but it's not the end-all of virus protection either. Proper user education is an important part of running a network. I keep the users at the office informed about how viruses work and how they propagate. I let them know that I've done all I can and that it's up to them to use their good judgement. I remind them that message headers are just as easily forgeable as the return address on an envelope.
It's worth the time. I'm not saying I just wrote one message and all viruses were gone. I wrote several. I talked face to face with people in the office about it. I ask them what they think about viruses and spam. I give them the information they need to make informed decisions. In the end, it makes my life a lot easier.
The simple problem is that people don't know unless you tell them. They only hear what Tom Brokaw or Katie Couric tells them. Tell them how it really works and they will understand and try their best. A few will slip up. Don't be mad at them, just explain things again so they understand.
The only case where this won't work is if you have a high employee turnover. If you do then let your boss know that viruses are simply another cost of high employee turnover. If you do that then he will have the information he needs to make an informed business decision. Maybe he'll decide it's worth taking some measures to keep people around. Put it in terms of dollars. Do whatever it takes but viruses can become a thing of the past if more companies started to do this.
Because clicking on an attachment shouldn't do anything. Only a fascist pig with a read-only mind would think it even a remotely good idea for an email client (note: "email client", as in handles email. The term, "program launcher" isn't expressed or implied anywhere in there) to load and launch an attachment.
There are very narrow cases where it's okay to do something. If its MIME type is text/plain, it's okay to display it. If it's MIME type is text/html, it might be okay to display it (providing you block JavaScript execution). If it's a media file (image/whatever, audio/whatever), then it's probably okay to launch a viewer or display it inline. If it's a compressed archive, it's probably okay to display a listing of its contents (automatically unpacking it is right out). And finally, if it's executable, a warning should be displayed before you allow the user to save -- not launch, save -- the attachment.
Always believe the MIME type. If the filename extension and the MIME type conflict, and you are saddled with an OS designed by orangutans where the three character extension of the filename determines its type, then append to the filename the OS's local extension representing that MIME type before handing off for subsequent interpretation.
Despite how many times The Finest Engineers Working In The Industry have fscked this up, this is not, and never has been, rocket science.
Schwab
Editor, A1-AAA AmeriCaptions
>Now Darl seems to have some credibility with the Linux == terrorism threat.
No, he doesn't; it's a Windows virus, not a Linux virus.
Windows == terrorism
Proof that Windows is a danger to national and economic security.
I don't know the meaning of the word 'don't' - J
Bruce
Bruce Perens.
Alright. Now listen up. Here's the deal....and I'm not accusing anyone...I'm just saying...
"The worm encrypts most of the strings in it's UPX-packed body with ROT13 method,"
I *KNOW* it was one of you fuckers...
I hate to say it, but Norton Anti-Virus doesn't exactly inspire much confidence with me to begin with.
I've removed a *bunch* of back-door trojan horse programs (MovieWorld and so forth) from Windows PCs that were running Norton AntiVirus 2003 with all the latest signature updates being "Live Updated". The freeware AVG Anti-Virus personal edition found them, as did a relatively unknown scanner called Avast.
Why is it people have to pay $30+ per year for a subscription renewal for a big-name, commercial scanner that can't even find things the freeware packages find and remove?
Air-traffic control systems don't run no Linux. They either run QNX or SCO.
Linux in Air Traffic Control
All Hail Discordia. Hail Eris. Fnord.
Well I have my copy! Arrived in my fiancee's inbox this afternoon. She helped me analyze it in Linux over the phone. (She's a biblical scholar when she's not hacking. What's not to love? :) Well we ran strings on it, among other things: it contains a few nuggets:
/abcdU VWXYZ
;-)
o Part way down the strings output there the following:
(sync.c,v 0.1 2004
1/xx
: andy)
Weird.
sync.c: I believe is a linux kernel file? Maybe it was written on Linux? Who knows.
o Further down is:
notepad %s
Message
This is consistent with the notepad screenshot on McAfee.com
o Then some more weirdness:
ghijklm
pqrstNwxyzg
ABCDEFGHIJKLMNOPQRST
I guess this cracker knows the alphabet. I am impressed!
o More funniness:
Sack_i
smith[C
&joe?neo/
Matrix fan?
o gold-Pxc
I guess this is reference to the electronic banking system it attacks
o Further down:
USERPROFI
Going for the registry I see...
o More sequences
ASCII
r=it f
0aA!0123456789+
My guess is that the sequences are character food for the random message generator
o Towards the end:
Libra
I guess this hacker is indecisive
o Finally, it wraps up with a list of windows dlls and function names.
-ghostis
our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted. lameness filter food
Computer Science is all about trying to find the right wrench to bang in the right screw. -T.Cumbo?
it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis.
.. lets take our time over this.. no need to rush things now is there? I mean - we wouldn't want to make a mistake or anything now would we?
Cut to the labs of the antivirus companies:
Sir! The new virus seems to launch a DDoS against sco.com!
REALLY? Great work! Now
Take a 2 day lunch.
The social engineering on this one isn't half bad.
.zip file was "readme.txt%20%20%20%2020%20%20%2020%20%20%20.scr" , which shows as "readme.txt" in the Windows GUI.
The first one I got looked like a bounce message, with text saying there were some non-7bit characters so the full message would be in an attachment.
The payload inside the
Believe it or not, there are mailers in the Windows world that send bounces with the original message as an attachment. This worm could easily fool someone who wasn't technical or wasn't paranoid.
Well, as proprietor of some anti-SCO websites, let me weigh in here:
/., and what do I see? A virus attacking SCO!
.pif, .scr, .zip file extensions.
.pif or .scr. Until the antivirus
companies release the definition files to detect this new virus, we are
banning the .zip extension also.
As soon as our vendors update the definition files, we will remove
the ban on the .zip extension.
ARE YOU IDIOTS INSANE?
(FYI, I am a college student, U of W @ Madison) I didn't hear about this new virus until now. But at about 4:30 PM today, I get this email from an attractive, intelligent female friend of mine from high school. She goes to Knox College in Illinois. (Let's call her Kristin) The email is listed below in it's entirety, but basically it says watch out for this new virus. So I figure, OK, maybe some stupid Bagle (Beagle, whatever) virus variation has come out, and computer illiterate college students haven't figured out how to push the big Update button on their virus scanners. No biggie.
So late evening, around 6:30 PM, I go to a student government meeting (contrary to published doctrine, some college students actually give a shit about what's happening in the world.) I get back, check
Now, I think everyone here knows I dislike SCO. I own websites that are anti-them (Check my sig, the scolawsuit.com link above, and Litigiousbastards.com linking campaign. But this is not the type of publicity we need. This gives SCO more ammunition, when it needs less. Guess what? The public equates viruses like this to terrorism. The average Joe Sixpack will think "Oh, this poor company's getting hurt by terrorism! These gosh darn Linux assholes are terrorists!" Can you say Guantanamo Bay?
If you want to DOS someone, do something constructive like sending an email to a Congressman/woman, donate to Groklaw.
(And yes, I must admit, and in the spirit of fairness, I was laughing out loud when I saw this article)
My friend's letter:
Hey everyone - Just something you might want to be aware of even with the virus protection software that you have. School is going well, and I am really enjoying myself here. I have a lot of work, but I am having fun. I even had a bat in my room, which was interesting. Ok, time to go back and do homework.
Kristin
=Original Message=
From: "M. Sean Riedel"
Date: Mon, 26 Jan 2004 15:59:33 -0600
A new virus, yet to be named, is spreading quickly and has slipped by many AntiVirus applications. If you have received a message with the following parameters, delete it immediately without opening the attachment. You will only become infected if you open the attachment.
The common factor in its profile is that it carries an unsolicited attachment. So far we have seen filenames of "body", "data", "document", "file", "glszfj", "message", "readme", "test", "text", "vgsu042a", and "vncexdl" attached to messages all with either the
We already ban extensions of
As always, if you receive messages with attachments from anyone you do not know or unexpected attachments from people you do know, don't open them. If the message is from an unknown party, just delete it. If it is from someone you know, verify with that person that the attachment was intended since many viruses will forge the sender.
M. Sean Riedel
Computer Center
Knox College
Did anyone bother to read the details?
SCO hasn't been attacked yet. It doesn't kick in until Feb 1st and then it doesn't even go for two weeks.
How kind of virus writers to put a time cap on how long it does damage.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Darl will say Linux supporters must have done it, and the media will quote him, and clueless people will read it and associate whoever did it with us. So while we know it wasn't "one of us" and we don't support it (except in jest), people will read otherwise. We unfortunately don't get to choose who the public associates us with.
Litigious bastards