Today's Windows Virus - MyDoom / Novarg

Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.

Reuters Story

[ThousandStars]

Here's another [reuters.co.uk] story.

Funny that I come to submit the article and already find it at the top of the page...

ClamAV to the rescue

[Jibber]

Hi,

I believe ClamAV was the first virus scanner to pick it up and because they couldn't find any others that had picked it up and named it, they called it "Worm.SCO.A". Gotta like Open Source.

Oh, and I've blocked over 3000 copies of the worm in the last few hours with clamav.

Jib

SCO is down

[greywar]

www.sco.com isn't responding to me at the moment. or maybe we just slashdotted www.sco.com checking....

What timing!

[conway]

I just got the first one as I was reading the story on ./ !
Weird thing is : it arrived to a non-existant address on my domain (and was forwarded to the catch-all). I have no idea how it got that email...
Pretty stupid trick : the attachment was README.ZIP, which contains the filename README.HTM_______________.SCR (the _ are spaces) so it looks like an html file at first glance..
Nicely done, but good luck trying to infect my Debian :)

ClamAV already has updated definitions.

[Anonymous Coward]

Unlike some other *cough* commercial virus scanners. If you have your MTA setup properly with clamav (like qmail+qmail-scanner), a simple "freshclam --stdout" will do, then watch the "SCO.A" log messages scroll on by.

Re:DDOS SCO

[tomhudson]

Ok -- which one of you wrote this.....

Nobody from here - we would have just done it with a perl script or some javascript embedded in an html emails' <body onload="melt_the_litigious_bastards_servers()"> tag.
Hmmm .... now let's see...

Re:Serves people right..

[swordboy]

Who the hell is gonna open a 3kb executable from kazaa?

The same idiots who install it.

Kazaa is not secure. It installs spyware that monitors keyboard activity. If you type an email address on a PC that has Kazaa, that address will be spammed into oblivion. Webshots does the same thing. Not directly, but through one of many third party applications that are installed silently.

Procmail to the rescue

[Wee]

A few people get mail off my personal domain. They're all Windows users. I added this to my .procmailrc file:

:0 B
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr|zip|bat|cmd)"
/home/wee/mail/virus

Looks like it works:

wee@foo:~$ grep 'mail/virus' .procmaillog | wc -l
21

Not terribly effcient, but every little bit helps.

-B

Also breaches security

[Anonymous Coward]

"W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer."

From www.sophos.com

Re:Virus...

[interiot]

Well, it allegedly opens a backdoor on port 3127 [google.com], so I'd think you'd either want to not run it at all, or make sure you will be able to keep your firewall up until such time that you verify the virus is completely removed from your system.

This thing is traveling fast!

[coryrauch]

I have received over 30 emails with this virus attached today already. From what I've seen, some come in the email described in the article post, but I have also seen emails containing this virus that look like this: The following email is encoded in UNICODE format please see attachment for message. - or - This file is encoded in 7Bit ascii format please see attachment for message. The attachment is always 22.6k in size. Thought windows slashdotters would be interested in this info.

Re:DOS huh?

[interiot]

The executable is still available in the link listed at the top of the story [russnelson.com] (eg. it isn't slashdotted at all, no need to bittorrent it).

Re:Dark Side of Linux Developers

[Zutroi_Zatatakowsky]

Air-traffic control systems don't run no Linux. They either run QNX or SCO.

Linux in Air Traffic Control [linuxjournal.com]

Working (and selective) procmail recipe

[Rex Code]

OK, that first attempt was useless. But after a little debugging here's one that seems to be doing the trick. If there are filenames that I haven't seen yet it's easily extended. It's also not so brute force as to toss out all zip attachments -- only ones with the "poisoned" filenames:

:0 B
* ^ *Content-Disposition: attachment;
* filename="(message|body|document|doc|data|readme|t ext)\.zip"

/yourlogdir/SPAM-VIRUSES-NOVARG

Re:A threat? Really?

[Odonian]

I am not convinced that this is the only method the thing travels by. My laptop at work got infected with this, as did my office mate. We both saw mail going out as us to others in our group, etc. Neither of us double-clicked the attachment or ran it. Being curious though, we did (apparently both of us did this) right click the attachment, save it to a dir on a linux box for inspection in emacs hexl-mode, etc. So unless this thing launches via a right-click and save operation (off of the windows box entirely), there must be some other transmission mechanism.

Funny things on the inside

[ghostis]

Well I have my copy! Arrived in my fiancee's inbox this afternoon. She helped me analyze it in Linux over the phone. (She's a biblical scholar when she's not hacking. What's not to love? :) Well we ran strings on it, among other things: it contains a few nuggets:

o Part way down the strings output there the following:

(sync.c,v 0.1 2004
1/xx
: andy)

Weird.

sync.c: I believe is a linux kernel file? Maybe it was written on Linux? Who knows.

o Further down is:

notepad %s
Message

This is consistent with the notepad screenshot on McAfee.com

o Then some more weirdness: /abcd
ghijklm
pqrstNwxyzg
ABCDEFGHIJKLMNOPQRSTU VWXYZ

I guess this cracker knows the alphabet. I am impressed!

o More funniness:

Sack_i
smith[C
&joe?neo/

Matrix fan?

o gold-Pxc

I guess this is reference to the electronic banking system it attacks

o Further down:

USERPROFI

Going for the registry I see...

o More sequences

ASCII
r=it f
0aA!0123456789+

My guess is that the sequences are character food for the random message generator

o Towards the end:

Libra

I guess this hacker is indecisive ;-)

o Finally, it wraps up with a list of windows dlls and function names.

-ghostis

our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted. lameness filter food

Re:This was probably done to defame us

[Guppy06]

"We're about the last people who would be out writing Windows viruses."

Try reading at -1 every once in a while.

Re:DOS huh?

[interiot]

Well, it's in the form of a standard email message, so if you can figure out how to send that to yourself as a raw email or as an attachment or something, if you do it correctly, your mail client will do all the decoding for you.

Otherwise, download base64.exe [rtner.de], download mydoom, open up mydoom in wordpad, delete everything before the "UEsDBAoAAAAAAFuhOj" and everything after the "AAQABAIAAAABwWAAAAAA=" at the bottom (eg. just keep the main chunk of random text, removing everything else including the blank lines before and after), and run

• base64 -d -i mydoom -o mydoom.zip

which should get you mydoom.zip, which when unpacked will get you "body.txt(lots of spaces).scr" which is the worm executable.

Re:A threat? Really?

[Beryllium Sphere(tm)]

The social engineering on this one isn't half bad.

The first one I got looked like a bounce message, with text saying there were some non-7bit characters so the full message would be in an attachment.

The payload inside the .zip file was "readme.txt%20%20%20%2020%20%20%2020%20%20%20.scr" , which shows as "readme.txt" in the Windows GUI.

Believe it or not, there are mailers in the Windows world that send bounces with the original message as an attachment. This worm could easily fool someone who wasn't technical or wasn't paranoid.

Re:DOS huh?

[tenton]

Ah, but when you post things here, security is the least of your worries (the /. effect will make it secure by taking the machine down :P ).

Re:Finally!

[KFK - Wildcat]

Not true. According to symantec [symantec.com],
"The DoS is active between February 1, 2004 and February 12, 2004."
So I guess that www.sco.com will be back up by Feb. 13th...

Re:Was that the one on Userfriendly?

[Anonymous Coward]

I don't get it. I've seen the badger page, but WTF is a hastur?

procmail recipe

[RiscIt]

## drop all Novarg/MyDoom virii
:0 B
* ^AFAmSgBAA/2yaZosEAT0JegBAE
{
LOG="$NL Novarg/MyDoom Virus$NL"

:0:
Novarg.txt
}


No guarantees - Haven't had much time to test it. Not the most efficient either (should probably check the file size first and rule out small messages first) but it should get the job done on most "average traffic" mail servers.

It's not the usual cast of idiots

[AndroidCat]

The executable is way too small (22,528 bytes compressed vs. 150k+ for most of the usual trash by spammers). I certainly doubt it was written in VB.

Re:Funny things on the inside

[bigberk]

There is an analysis posted on USENET, describes the binary and followups include information about variants that are being seen sending the same payload. Might as well read up [google.com] if you're interested in the technical details.

Text from Symantec

[Anonymous Coward]

W32.Novarg.A@mm is a mass-mailing worm. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.
When the machine gets infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This will potentially allow a hacker to connect to the machine and utilize it as a proxy to gain access to it's network resources. In addition, the backdoor has the ability to download and execute arbitrary files.
The worm will perform a DoS starting on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading.

Re:Finally!

[vanillaspice]

Actually, if you really want to know where you can get it, the virus deposits a text file, very cookie-like, in a Windows user's Temporary Internet Files folder that points to a site called http://russnelson.com which ostensibly belongs to a man who works for a software company in upstate New York. And if you really want to download that cookie (and potentially the .scr file), you can go to russnelson.com/mydoom.

Re:Call me stupid, but...

[BenjyD]

I doubt you've got the virus. The virus has probably used your email address as the return address, so that you get the bounces despite not having the virus. I've received lots of virus warning bounces, mostly sent to "helen@benroe.com" and "serg@benroe.com", which aren't email addresses I use (obviously).

Re:Finally! ...now for a bit of help...

[jbrw]

clamav [clamav.net]

Re:I just think it's funny...

[AnyNoMouse]

I just think it's funny that Slashdot STILL reports *user-run* attachments as "Windows viruses," as though it's some major flaw in Windows that users are dumb enough to run whatever executables come into their inbox. Hell, my Outlook won't even let those attachments through to begin with. "BUT IT'S A WINDOWS VIRUS!!1"

I'll both agree and disagree with you on this one. Microsoft isn't at fault with this virus. It is, however, a Windows virus in that it only runs on Windows. You shouldn't just call it a "Worm" or a "Virus," as that may imply that more than Windows users are at risk.