Today's Windows Virus - MyDoom / Novarg 847
Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec
and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.
Reuters Story (Score:5, Informative)
Funny that I come to submit the article and already find it at the top of the page...
ClamAV to the rescue (Score:5, Informative)
I believe ClamAV was the first virus scanner to pick it up and because they couldn't find any others that had picked it up and named it, they called it "Worm.SCO.A". Gotta like Open Source.
Oh, and I've blocked over 3000 copies of the worm in the last few hours with clamav.
Jib
SCO is down (Score:2, Informative)
What timing! (Score:2, Informative)
Weird thing is : it arrived to a non-existant address on my domain (and was forwarded to the catch-all). I have no idea how it got that email...
Pretty stupid trick : the attachment was README.ZIP, which contains the filename README.HTM_______________.SCR (the _ are spaces) so it looks like an html file at first glance..
Nicely done, but good luck trying to infect my Debian
ClamAV already has updated definitions. (Score:4, Informative)
Re:DDOS SCO (Score:4, Informative)
Nobody from here - we would have just done it with a perl script or some javascript embedded in an html emails' <body onload="melt_the_litigious_bastards_servers()"> tag. .... now let's see...
Hmmm
Re:Serves people right.. (Score:5, Informative)
The same idiots who install it.
Kazaa is not secure. It installs spyware that monitors keyboard activity. If you type an email address on a PC that has Kazaa, that address will be spammed into oblivion. Webshots does the same thing. Not directly, but through one of many third party applications that are installed silently.
Procmail to the rescue (Score:4, Informative)
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr|zip|bat|cmd)"
Looks like it works:
wee@foo:~$ grep 'mail/virus' .procmaillog | wc -l
21
Not terribly effcient, but every little bit helps.
-B
Also breaches security (Score:3, Informative)
From www.sophos.com
Re:Virus... (Score:5, Informative)
This thing is traveling fast! (Score:2, Informative)
Re:DOS huh? (Score:3, Informative)
Re:Dark Side of Linux Developers (Score:4, Informative)
Linux in Air Traffic Control [linuxjournal.com]
Working (and selective) procmail recipe (Score:4, Informative)
* ^ *Content-Disposition: attachment;
* filename="(message|body|document|doc|data|readme|
Re:A threat? Really? (Score:2, Informative)
Funny things on the inside (Score:5, Informative)
o Part way down the strings output there the following:
(sync.c,v 0.1 2004
1/xx
: andy)
Weird.
sync.c: I believe is a linux kernel file? Maybe it was written on Linux? Who knows.
o Further down is:
notepad %s
Message
This is consistent with the notepad screenshot on McAfee.com
o Then some more weirdness:
ghijklm
pqrstNwxyzg
ABCDEFGHIJKLMNOPQRST
I guess this cracker knows the alphabet. I am impressed!
o More funniness:
Sack_i
smith[C
&joe?neo/
Matrix fan?
o gold-Pxc
I guess this is reference to the electronic banking system it attacks
o Further down:
USERPROFI
Going for the registry I see...
o More sequences
ASCII
r=it f
0aA!0123456789+
My guess is that the sequences are character food for the random message generator
o Towards the end:
Libra
I guess this hacker is indecisive
o Finally, it wraps up with a list of windows dlls and function names.
-ghostis
our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted. lameness filter food
Re:This was probably done to defame us (Score:5, Informative)
Try reading at -1 every once in a while.
Re:DOS huh? (Score:3, Informative)
Otherwise, download base64.exe [rtner.de], download mydoom, open up mydoom in wordpad, delete everything before the "UEsDBAoAAAAAAFuhOj" and everything after the "AAQABAIAAAABwWAAAAAA=" at the bottom (eg. just keep the main chunk of random text, removing everything else including the blank lines before and after), and run
- base64 -d -i mydoom -o mydoom.zip
which should get you mydoom.zip, which when unpacked will get you "body.txt(lots of spaces).scr" which is the worm executable.Re:A threat? Really? (Score:5, Informative)
The first one I got looked like a bounce message, with text saying there were some non-7bit characters so the full message would be in an attachment.
The payload inside the
Believe it or not, there are mailers in the Windows world that send bounces with the original message as an attachment. This worm could easily fool someone who wasn't technical or wasn't paranoid.
Re:DOS huh? (Score:2, Informative)
Re:Finally! (Score:2, Informative)
"The DoS is active between February 1, 2004 and February 12, 2004."
So I guess that www.sco.com will be back up by Feb. 13th...
Re:Was that the one on Userfriendly? (Score:1, Informative)
procmail recipe (Score:2, Informative)
## drop all Novarg/MyDoom virii
* ^AFAmSgBAA/2yaZosEAT0JegBAE
{
LOG="$NL Novarg/MyDoom Virus$NL"
Novarg.txt
}
No guarantees - Haven't had much time to test it. Not the most efficient either (should probably check the file size first and rule out small messages first) but it should get the job done on most "average traffic" mail servers.
It's not the usual cast of idiots (Score:3, Informative)
Re:Funny things on the inside (Score:3, Informative)
Text from Symantec (Score:1, Informative)
When the machine gets infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This will potentially allow a hacker to connect to the machine and utilize it as a proxy to gain access to it's network resources. In addition, the backdoor has the ability to download and execute arbitrary files.
The worm will perform a DoS starting on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading.
Re:Finally! (Score:4, Informative)
Re:Call me stupid, but... (Score:4, Informative)
Re:Finally! ...now for a bit of help... (Score:3, Informative)
Re:I just think it's funny... (Score:2, Informative)
I'll both agree and disagree with you on this one. Microsoft isn't at fault with this virus. It is, however, a Windows virus in that it only runs on Windows. You shouldn't just call it a "Worm" or a "Virus," as that may imply that more than Windows users are at risk.