Today's Windows Virus - MyDoom / Novarg

← Back to Stories (view on slashdot.org)

Today's Windows Virus - MyDoom / Novarg

Posted by timothy on Monday January 26, 2004 @12:37PM from the are-you-virus-capable dept.

Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.

43 of 847 comments (clear)

Finally! by someonehasmyname · 2004-01-26 12:40 · Score: 5, Funny

Finally, a worthwhile virus!!

--
Common sense is not so common.
1. Re:Finally! by Anonymous Coward · 2004-01-26 12:46 · Score: 5, Funny
  
  Is there a Linux port yet???
2. Re:Finally! by MicktheMech · 2004-01-26 12:46 · Score: 5, Funny
  
  Not quite. This virus contains SCO IP. The DDOS is actually infected host sending credit card info to pay SCO $699 for the license.
3. Re:Finally! by Zocalo · 2004-01-26 13:01 · Score: 5, Interesting
  
  *Now* you tell me, I'd have kept the damn thing if I'd known (joke)! I've just finished updating by Virus signatures after a copy of this sucker slipped by the set I only got this morning. If you are running McAfee on your Windows boxen the latest DAT/SDAT at time of writing (4318) is NOT sufficient! You also need the Extra.DAT file which you can grab from here:
  http://vil.nai.com/vil/content/v_100983.htm
  (Scroll down for the download links to the updates), or the 4319 DAT/SDAT when it becomes available.
  
  --
  UNIX? They're not even circumcised! Savages!
4. Re:Finally! by bangular · 2004-01-26 13:14 · Score: 5, Interesting
  
  I think www.sco.com as we know it will probably have traffic from this virus FOREVER. Virii don't go away. Hell, I still see hits from code red in my logs. How long ago was that? SCO is looking at the very least a week of MAJOR traffic, more likely at least a month. Then if somehow the virus dies down a bit, they will probably see a couple hundred megabytes of virus traffic a day at least.
5. Re:Finally! by cyril3 · 2004-01-26 13:18 · Score: 5, Funny
  
  Yeah right.
  The last time someone told me I needed the latest virus patch I got into a shit load of trouble.
  And they were from Microsoft.
  You think I'm going to believe you. I hit that link and my soul belongs to some Romanian gangster.
  I'm not that stupid.
6. Re:Finally! by Joel+Carr · 2004-01-26 13:31 · Score: 5, Funny
  
  You also need the Extra.DAT file which you can grab from here:
  
  In case the site gets /.ed, you can download the Extra.DAT file from me using Kazaa...
  
  ---
  
  --
  Any man who can drive safely while kissing a pretty girl is simply not giving the kiss the attention it deserves. -- AE
7. Re:Finally! by Nucleon500 · 2004-01-26 14:34 · Score: 5, Insightful
  
  I know you were joking, but no, attacking sco.com does not make it a worthwhile virus. Yes, SCO deserves a lot of hardship. But any retaliation should be done in a completely legal manner. Why? SCO is trying to make open source look bad in the eyes of businesses. They've said we don't respect copyrights, they say we're anti-business. They screamed loudly about joking death threats and DDoS attacks. They're trying to make us look bad, and whatever we do should make them look bad, make them look like the aggressor they are. Doing obviously illegal things only makes us look bad and SCO look like a victim. So this is a major step backwards.
  
  --
  Litigious bastards
8. Re:Finally! by thedillybar · 2004-01-26 15:18 · Score: 5, Funny
  
  This doesn't make open source look bad.
  As far as I can tell, this virus is not licensed under the GPL, and I can't find the source for it anywhere...
9. Re:Finally! by obeythefist · 2004-01-26 15:28 · Score: 5, Funny
  
  Ahh, so the idea is, the virus infects Windows boxes, then sends data to SCO to tell them that it's a windows box, which frees SCO to sue *everyone* else who doesn't attack them with the virus, because they must be running Linux. And we all know who owns linux, don't we?
  
  --
  I am government man, come from the government. The government has sent me. -- G.I.R.
10. Re:Finally! by dslbrian · 2004-01-26 16:07 · Score: 5, Funny
  
  I think www.sco.com as we know it will probably have traffic from this virus FOREVER.
  
  Which they will promptly PR-spin into a positive thing - "We are getting THOUSANDS of licensing inquiries EACH DAY!!" or "Our website has become one of the most POPULAR on the internet, obviously customers are very satisfied!"
i'm not scared... by edrugtrader · 2004-01-26 12:40 · Score: 5, Funny

i just got the patch off of kazaa... sweet jesus, just in the knick of time.

whew.

i was scared there for a ss.....[NO CARRIER]

--
MARIJUANA, SHROOMS, X: ONLINE?! - E
DOS huh? by Armethius · 2004-01-26 12:40 · Score: 5, Funny

"Second, it can perform a denial-of-service against www.sco.com" Will this be the first virus I willingly load on my machine?
1. Re:DOS huh? by bsharitt · 2004-01-26 12:57 · Score: 5, Funny
  
  Damn it, they don't make enough Mac compatible viruses.
2. Re:DOS huh? by PhxBlue · 2004-01-26 13:02 · Score: 5, Funny
  
  Will this be the first virus I willingly load on my machine?
  
  No, it'll be the second. You have to load Windows first.
  
  --
  !#@%*)anks for hanging up the phone, dear.
3. Re:DOS huh? by caluml · 2004-01-26 13:12 · Score: 5, Insightful
  
  I see that they run with a 60 second DNS refresh - is this forward thinking by them in case they have to change the servers IP, or add more servers? That way, they don't have hours, or days of stale data hanging around.
  Also, does the virus target by IP address, or does it do a full DNS lookup? If it's just IP, it will be easy for them to change the www record, and the servers address. 60 seconds later, everyone apart from the virus will be able to access the site.
  
  --
  Get your own free personal location tracker
4. Re:DOS huh? by nocomment · 2004-01-26 13:16 · Score: 5, Funny
  
  I thought that might be what you meant. Sorta like the honor system virus where when you get the email you just delete a bunch of random files yourself and forward the email.
  
  --
  /* oops I accidentally made a comment, sorry */
  /* http://allyourbasearebelongto.us */
5. Re:DOS huh? by Nahor · 2004-01-26 14:09 · Score: 5, Funny
  
  It's well known that Windows is not a virus (shamelessly copied from here)
  
  1. Viruses are free.
  2. Viruses can be gotten from any good bbs.
  3. If detected soon enough, most viruses can be removed from your computer without a huge loss of data and time.
  4. Viruses don't take up HUGE wads of disk space.
  5. Viruses don't need 4meg of ram to run.
  6. Viruses do something.
  7. Viruses come in flavors, not just one-size-fits-all.
  8. Viruses use the "cutting edge" programming skills to make themselves less noticable. (untill they are ready to be noticed)
  9. Viruses don't have major bugs. (if they do, then they don't work, so they're not virus')
  10. Viruses don't have three different sets of documentation that is all mixed up and wrong.
  11. Viruses don't leak things to the press about the upcomming Jerusalem 95, to keep people from switching to Michelangelo/2 Warp or better yet, XJerusalem.
  12. Viruses don't put out stupid two page adds in magazines centered around the march 6 "activate button".
  13. Viruses arn't on every computer.
  14. Viruses don't have stupid wizards.
  15. Who cares if a virus is 16 bit, even though it is advertised as 32?
  16. Viruses don't say that they are user "friendly", when they arn't.
  17. Viruses can run on PCDOS without warnings.
  18. Viruses when installing themselves don't try to send private info about your computer over the phone lines to microstoned-net.
  19. Viruses install themselves.
  20. Viruses don't try to push out all compitition. They just try to do their job.
  21. Viruses maker's don't try to buy Intuit (makers of Quicken (wouldn't that be fun, America's biggest finacial software company owned by a virus maker))
  22. Viruses don't invade and take over PC Magazine, filling it with 100% junk on Win95.
  23. Viruses don't try to copy what Apple does.
  24. There are programs you can buy, or get free to remove viruses.
Serves people right.. by Breakfast+Pants · 2004-01-26 12:40 · Score: 5, Funny

Who the hell is gonna open a 3kb executable from kazaa?

--

--

WHO ATE MY BREAKFAST PANTS?
1. Re:Serves people right.. by Kenja · 2004-01-26 12:43 · Score: 5, Insightful
  
  Dumb people. Problem is that dumb people make up a majority of internet users. This is the same reason that spam works as an advertising method. Its also why toner refills have warnings not to drink the contents and windex warns you not to spray it in your eyes.
  
  --
  
  "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
2. Re:Serves people right.. by swordboy · 2004-01-26 12:53 · Score: 5, Informative
  
  Who the hell is gonna open a 3kb executable from kazaa?
  
  The same idiots who install it.
  
  Kazaa is not secure. It installs spyware that monitors keyboard activity. If you type an email address on a PC that has Kazaa, that address will be spammed into oblivion. Webshots does the same thing. Not directly, but through one of many third party applications that are installed silently.
  
  --
  
  Life is the leading cause of death in America.
3. Re:Serves people right.. by TheOtherChimeraTwin · 2004-01-26 12:59 · Score: 5, Funny
  
  Oooooh! Does drinking toner refills and spraying windex in your eyes give you SECRET powers?? I've got to go try that right away!
4. Re:Serves people right.. by johnalex · 2004-01-26 14:05 · Score: 5, Funny
  
  Gives a new meaning to the saying, "never underestimate the power of stupid people in large groups."
  
  --
  JA
  http://www.johnalex.org/
Reuters Story by ThousandStars · 2004-01-26 12:40 · Score: 5, Informative

Here's another story.

Funny that I come to submit the article and already find it at the top of the page...
Virus... by pardasaniman · 2004-01-26 12:41 · Score: 5, Funny

Back in my day, viruses came in via the boot-sector of floppy drive. You actually had to know fudge to write one.

You yung whipper-snapper virus writers and your MS holes got it way too easy.

On one hand it seems to be written by the RIAA, on the other it looks like some linux loony, can it be both?!
1. Re:Virus... by SiliconAddict · 2004-01-26 12:48 · Score: 5, Funny
  
  Boot Sectors?! You guys had it lucky.
  
  In my day we had to throw various insects into giant mainframe machines
2. Re:Virus... by Haeleth · 2004-01-26 13:37 · Score: 5, Funny
  
  Ah, but back when I was a lad we didn't have machines to do it for us - we had to catch viruses ourselves by coming into physical contact with infected tissue.
idiots. by edrugtrader · 2004-01-26 12:42 · Score: 5, Funny

5 posts so far, and 3 of them are of the "I WANT TO PARTICIPATE IN A SCO.COM DDOS" variety.

people... that is illegal and not the way to win the fight.

i'd say more, but i have to go load that virus on my 3 other laptops.

--
MARIJUANA, SHROOMS, X: ONLINE?! - E
This should make us look very professional. by Tassleman · 2004-01-26 12:43 · Score: 5, Insightful

Second, it can perform a denial-of-service against www.sco.com

Great. This will give SCO some good PR ammo. Thanks guys.
DDoS by DRUNK_BEAR · 2004-01-26 12:45 · Score: 5, Insightful

It's all fun and jokes at first, but if we look at it from the public's eyes, these types of attacks give a bad name to OSS and the Linux community.
Obviously, SCO has many ennemies. Most of them are probably nix users and the public knows that. If we want to have the public favor OSS, reputation is also important.

Just my 0.02$

--
DrkBr
This is not a good thing by Tyrdium · 2004-01-26 12:45 · Score: 5, Insightful

Think about it. Until now, the Linux community has seemed very innocent over this whole issue. It's simply a matter of a company trying to oppress people for it's own gain (at least in the courts' eye). When people start doing illegal things such as writing viruses to get back at SCO, on the other hand, the Linux community loses much of its innocence. Look beyond the surface; this is a big PR hit for the Linux community. Remember the debate when SCO was DDoSed? This is the same thing, but much worse, and on a larger scale. Writing a virus in itself is illegal, given their nature, and a DDoS is also illegal (I'm not counting Slashdottings and the like).
1. Re:This is not a good thing by finkployd · 2004-01-26 12:51 · Score: 5, Interesting
  
  What leads you to believe this is someone from the Linux community? I say it is equally likely someone who hates Linux and wants to make it look bad. Out of work MCSE? SCO employee (assuming they still have people there who can code)? Who knows. Given that this whole SCO mess has been nothing more than a PR war I wouldn't put it past them to have someone do this to improve their image.
  
  Finkployd
ClamAV to the rescue by Jibber · 2004-01-26 12:47 · Score: 5, Informative

Hi,

I believe ClamAV was the first virus scanner to pick it up and because they couldn't find any others that had picked it up and named it, they called it "Worm.SCO.A". Gotta like Open Source.

Oh, and I've blocked over 3000 copies of the worm in the last few hours with clamav.

Jib
Looking for the virus writer by RY · 2004-01-26 12:51 · Score: 5, Funny

To show that there are no hard feelings after the virus enterd my work network, I would like to invite the virus writer to play a game of baseball.

Just show up, I'll brng the bat!!!!!!!
A threat? Really? by unfortunateson · 2004-01-26 12:52 · Score: 5, Insightful

Let me get this straight:
1) It has a simple text message plus a binary payload attachment.
2) It uses no M$ exploits (patched or unpatched) to install itself.
3) It depends on someone opening the attachment to start an infection.

And after all this time, people are still clicking on binary attachments? Great googly moogly. At least this sucker is only 20-40K. I'm sick of the 140-160K ones swamping my hotmail account. This one will barely be an annoyance.

To quote Evil Willow Rosenberg: "Bored now."

--
Design for Use, not Construction!
Re:Oh no by aralin · 2004-01-26 12:54 · Score: 5, Insightful

Now Darl seems to have some credibility with the Linux == terrorism threat. Good going, guys....

I'm not so sure, this was obviously done by a WINDOWS hacker. Most of the Linux hackers I know have no freaking idea about MS Windows internals and they honestly don't even care for that sort of "knowledge".

--
If programs would be read like poetry, most programmers would be Vogons.
Re:SCO is down by britneys+9th+husband · 2004-01-26 12:56 · Score: 5, Funny

Looks like you've figured out how the ddos works. Put "www.sco.com" in the virus, get it mentioned on Slashdot, and the /. effect takes down the site.

--
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
I would like to see a study done by theCat · 2004-01-26 13:01 · Score: 5, Interesting

that aims to define exactly who it is that is opening email, saving attachments, opening the attachment, running the payload, and is not using AV software. I mean that is a lot of work by someone with at least *some* clue about email. Who is doing this? Is there a profile? Is it generally a home user, or generally at a public school? Is it that there is a subset of people that for their own sick reasons *always* runs infection attachments just to watch the LAN go down so they can go home early? I'm becoming suspicious [tinfoil hat goes on and is pulled down hard]

--
=^..^= all your rodent are belong to us
Re:Also arrives as a zipped executable! by jfengel · 2004-01-26 13:38 · Score: 5, Funny

First you save the attachment.

Then you unzip it.

Then you execute it.

Why do the virus writers even bother writing code? If people are willing to do all that, it sounds like the next virus will consist solely of the text:

"Pick a friend at random. Go over to his house and bash his computer with a sledge hammer."
This was probably done to defame us by Bruce+Perens · 2004-01-26 13:57 · Score: 5, Interesting

We're about the last people who would be out writing Windows viruses. This was probably done to defame us. Or possibly the source of the virus is the usual one - spammers - since it has mass-mailing capability, and the SCO DOS is just misdirection aimed at the community that has produced so many spam-blocking techniques.
Bruce

--
Bruce Perens.
1. Re:This was probably done to defame us by Guppy06 · 2004-01-26 14:27 · Score: 5, Informative
  
  "We're about the last people who would be out writing Windows viruses."
  
  Try reading at -1 every once in a while.
How I imagine things by skinfitz · 2004-01-26 14:27 · Score: 5, Funny

it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis.

Cut to the labs of the antivirus companies:

Sir! The new virus seems to launch a DDoS against sco.com!

REALLY? Great work! Now .. lets take our time over this.. no need to rush things now is there? I mean - we wouldn't want to make a mistake or anything now would we?

Take a 2 day lunch.
Re:A threat? Really? by Beryllium+Sphere(tm) · 2004-01-26 15:12 · Score: 5, Informative

The social engineering on this one isn't half bad.

The first one I got looked like a bounce message, with text saying there were some non-7bit characters so the full message would be in an attachment.

The payload inside the .zip file was "readme.txt%20%20%20%2020%20%20%2020%20%20%20.scr" , which shows as "readme.txt" in the Windows GUI.

Believe it or not, there are mailers in the Windows world that send bounces with the original message as an attachment. This worm could easily fool someone who wasn't technical or wasn't paranoid.