Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Mail Worms Gang War?

Posted by CmdrTaco on from the that-makes-sense dept.

cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."

7 of 609 comments (clear)

  1. I would like to point out... by chrisopherpace · · Score: 5, Informative

    MyDoom.F does destroy word, excel, access, jpg, and other files.
    SARC
    This was a major headache for me the past few weeks. Backup tapes suck. Worms suck harder.

    --


    Bored? Why not join a decent mess
  2. Warnings... by ackthpt · · Score: 5, Informative

    I'm getting some forged emails lately, badly forged at that, which look like they're coming from my ISP, "warning viruses being sent from your account", "warning immenent suspension", etc. They have a pif file atteched (which I never open) and have been coming from .lt or .gr servers (my ISP would not likely be using these.) Looks to me like another brand of worm on the rounds and there's a morbid sense of humor behind it.

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Warnings... by Hayzeus · · Score: 5, Informative

      I doubt humor is involved -- the point is to get people to open the zip and run the archived file -- which you have to go to some trouble to do, given that the zip is password protected (to get by email scanners). I've had a couple of users here contact me about these, but nobody has run them yet. Of course I only have a few users, most reasonably clueful. This would probably suck for larger outfits.

      --

      Roving Web-Teleoperated Robot
  3. Re:Turf? by glen604 · · Score: 5, Informative

    since some of these viruses involve opening back doors, it's a turf war in the sense of who owns more zombie computers, I guess.

  4. latest breed by A+moron · · Score: 4, Informative

    What's interesting/annoying is that the latest variants of the Bagle/Beagle virus use password protected encrtypted zip attachments which has caught quite a few mail gateways and virus companies off guard. Our mail gateway (mailscanner/f-prot/spamassassin) was unable to deal with the encrypted zip attachments and passed them on through.

    The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)

  5. Pretty good social engineering this time by GillBates0 · · Score: 4, Informative

    Date: Wed, 03 Mar 2004 10:03:48 -0800
    From: support@xxx.edu
    To: me@cc.xxx.edu
    Subject: Warning about your e-mail account.
    Parts/Attachments:
    1 Shown 10 lines Text
    2 12 KB Application

    Dear user of "xxx.edu" mailing system,

    We warn you about some attacks on your e-mail account. Your computer may
    contain viruses, in order to keep your computer and e-mail account safe,
    please, follow the instructions.

    For more information see the attached file.

    Cheers,
    The xxx.edu team http://www.xxx.edu

    [ Part 2, Application/OCTET-STREAM (Name: "Information.pif") 16KB. ]
    [ Cannot display this part. Press "V" then "S" to save in a file. ]

    ------
    Pretty *good* social engineering, if you ask me. The other earlier worms did not send customized messages according to the domain. I had to stop a couple of family/friends from giving in and opening the attachment.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  6. ...little damage... by blunte · · Score: 4, Informative
    Typically these viruses (or more correctly, worms) do little damage to the infected computer


    Yeah most are not too damaging, but here's my story.

    Symantec's corporate antivirus software only allows for once daily automatic downloading of new virus signatures.

    - Last week our AV server downloaded updates at 8am as usual.
    - At 11am Symantec released new signature for MyDoom.F.
    - At 1pm stupid_corporate_user_04 opens and unleashes MyDoom.F on the network. MyDoom.F blows away all MS Office and image files on stupid_corporate_user_04's machine, then begins the same task on all network shares this person had access to.
    - At 8pm automatic backups kick off
    - At 11pm backups complete, having successfully backed up ruined shares.
    - At 8am the next morning, AV server picks up signature for MyDoom.F. At same time, users begin to notice their files are gone. Alarms go off everywhere.
    - At 11pm that second day, all corrupted/trashed files have been removed, all viruses eradicated, all data restored from 2 day old backups.

    Summary: 1.5 to 2 days of work time lost by 60 employees, plus 12 hours @110$/hr for support consultant to help clean up the mess.

    Needless to say, I wouldn't categorize the virii as doing little damage, whether they actually delete local files or not. Even had we not lost files, we still would have had a big cleanup job, and it still would have impacted our users.

    Here's a big Fuck You to the person who wrote that variant, and to all the other virus writers out there.
    --
    .sigs are for post^Hers.