Today's Windows Virus - MyDoom / Novarg

Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.

Comment removed

[account_deleted]

Comment removed based on user account deletion

It's HUGE

[Leme]

Our virus filtering usually quarantines around 40 messages per hour. Right now we're seeing over 1600 per hour.

At least the MRTG graphs are pretty.

Comment removed

[account_deleted]

Comment removed based on user account deletion

uhm.

[relrelrel]

how does this reflect badly on linux users? if i'm not mistaken, it infects windows machines, surely this reflects badly on microsoft windows? nobody can say that the virus writer is a linux user, now who's talking shit? SCO have pissed off so many people it could be anyone.

will it show up in the popular press?

[Anonymous Coward]

Hmm, if this is a big worm (sounds like it might be), then this will show up in the news. And if it shows up in the news (i.e, MSNBC, CNN, etc), they will have to explain *why* www.sco.com is a target.

Any guesses on how botched/one-sided/anti-Linux their explanation will be?

Not that this virus writer is helping things with this stupid thing.......

I really hate you

[Anonymous Coward]

I'm an email admin for a very, VERY large company - and i hate you, mr virus writer.

you've cost me, and my team, and my company, more time and energy than i care to note.

guess you forgot all about the people who actually use open source and promote it, cuz you screwed them too.

Re:Finally!

[Zocalo]

*Now* you tell me, I'd have kept the damn thing if I'd known (joke)! I've just finished updating by Virus signatures after a copy of this sucker slipped by the set I only got this morning. If you are running McAfee on your Windows boxen the latest DAT/SDAT at time of writing (4318) is NOT sufficient! You also need the Extra.DAT file which you can grab from here:

http://vil.nai.com/vil/content/v_100983.htm [nai.com]

(Scroll down for the download links to the updates), or the 4319 DAT/SDAT when it becomes available.

I would like to see a study done

[theCat]

that aims to define exactly who it is that is opening email, saving attachments, opening the attachment, running the payload, and is not using AV software. I mean that is a lot of work by someone with at least *some* clue about email. Who is doing this? Is there a profile? Is it generally a home user, or generally at a public school? Is it that there is a subset of people that for their own sick reasons *always* runs infection attachments just to watch the LAN go down so they can go home early? I'm becoming suspicious [tinfoil hat goes on and is pulled down hard]

Wine

[szysz]

It does run on Wine..

I was trying to look what these messages were, and I executed the contents via wine.

A Notepad with garbage appeared, then I do a netstat and I saw the control port beeing controled from a wine instance.

So I think it runs on Wine.
I killed the wine instance and the port stopped
listening.

Re:This is not a good thing

[__aawavt7683]

Yes. Think about it. This virus has mass e-mailing capabilities. Obviously, the sco DoS was simply to make it look like it wasn't coming from a spammer. That's my thought, at least. I feel the mass mailing is far greater of a benefit to _someone_ than is dossing SCO, sco just being a convenient coverup. This is assuming, of course, that there's no one in the open source community that supports spammers. After all, so many tools against and only a few of the slashdot commentors, even, don't completely condemn them.

So really, spam is _yet again_ associated with terrorism.

-DrkShadow

Re:DOS huh?

[Steven Reddie]

That's just dumb. Now SCO is going to have "evidence" that Open Source advocates are virus writters.

Re:Oh no

[NanoGator]

"Why on earth would you assume that it would be some fringe Linux zealot? It could be a pissed off SCO employee, an investor, someone from IBM, any number of UNIX developers."

a.) The fringe Linux zealots are upset enough to do something like that.

b.) An SCO employee, investor, or somebody from IBM isn't going to attract legal attention.

c.) There aren't many people who'd prioritize an attack on SCO over ... well anything else.

It'd be moronic for a Linux zealot to not be at the top of the suspects list for what happened here.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Interestink pheachure

[Mixel]

Having everything@mydomain redirected to me, I've just noticed that this thing randomly spews out prefix names. In an hour received emails targeting: mary@* george@* smith@* Have not seen anything as prolific in terms of random addressing. The virii before this one very rarely threw up random names. *shrug*

Actually, That's What I Was Wondering...

[Hub_City]

In fact, unless I miss my guess, this is how it infects you:

1. Receive mail.
2. Open mail.
3. Double-click attachment. This opens the archive.
4. Double-click the payload inside the attachment, thus executing it.
5. Get infected. Lather, rinse, repeat.

So, in order to get infected, you have to open a suspect file inside a suspect archive inside a suspect e-mail.

And it's spreading like wildfire. I was going to ask "are people really this dumb", but I guess the empirical data available makes that question moot...

-HubCity
Altrok & Altrok Radio [altrok.com]

SCO Makes me mad.

[freeze128]

SCO makes us all mad. Mad enough to want to sock Darl in the nose. But what good will DOSing them do? So people can't get to their website... Big deal. It's not like they're Amazon.com or anything.

I work at a company who has offices all over the world. One of our offices has XO Communications as it's ISP. The same ISP that SCO uses. I often hear one of our network engineers cursing them because the the service is poor and outages are not handled in a timely manner. It's not Hard to DOS them.

Perhaps the virus should have focused on a more useful target, like the law offices that are handling the whole SCO fiaSCO.

repeat after me

[Knights who say 'INT]

if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.

if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.

if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.

Sure, I can write a fake su or sudo in three lines of bash script. The way beginner Linux distros sudo their way to hell, zillions of users will be affected by this the day Linux gets to the vast unwashed desktop masses.

Are more windows viruses do to hatred?

[geekee]

Many people argue that Linux has less problems because it is more secure. Others say this isn't true (for NT-based Windows, anyway), and that Windows is simply a higher profile target because of the higher user base. It is impossible to prove either arguement since no one knows how many security flaws are in either system. To add another variable to the problem, is Windows a target because Linux users hate Windows. It's probably impossible outside of Redmond to find anyone who hates Linux. This latest Windows attack seems to be perpetrated by a Linux user, since it attacks SCO as well as Windows. Is this attack motivated simply by hatred? Could this be a significant factor in the equation for why Windows is attacked so often?

DDoS threat or /. ?

[dan2550]

i was just checking to see if sco.com was down and it dawned on me that whenever an 'evil' company such as sco [sco.com] goes down it is reported on /.. I wonder how much the slashdot effect plays into the consumption of bandwidth of the sites? this may provide to be intresting if someone looks into it...

Re:Why do people keep clicking...

[ewhac]

Because clicking on an attachment shouldn't do anything. Only a fascist pig with a read-only mind would think it even a remotely good idea for an email client (note: "email client", as in handles email. The term, "program launcher" isn't expressed or implied anywhere in there) to load and launch an attachment.

There are very narrow cases where it's okay to do something. If its MIME type is text/plain, it's okay to display it. If it's MIME type is text/html, it might be okay to display it (providing you block JavaScript execution). If it's a media file (image/whatever, audio/whatever), then it's probably okay to launch a viewer or display it inline. If it's a compressed archive, it's probably okay to display a listing of its contents (automatically unpacking it is right out). And finally, if it's executable, a warning should be displayed before you allow the user to save -- not launch, save -- the attachment.

Always believe the MIME type. If the filename extension and the MIME type conflict, and you are saddled with an OS designed by orangutans where the three character extension of the filename determines its type, then append to the filename the OS's local extension representing that MIME type before handing off for subsequent interpretation.

Despite how many times The Finest Engineers Working In The Industry have fscked this up, this is not, and never has been, rocket science.

Schwab

Re:ClamAV to the rescue

[xheliox]

ClamAV had the defs out on Jan 25th.. Norton didn't until the 26th. Score one for open source (again).

My mail server has been filtering out these messages for the last 24 hours or so. Thousands of e-mails stopped and no end sight. :-/

This was probably done to defame us

[Bruce Perens]

We're about the last people who would be out writing Windows viruses. This was probably done to defame us. Or possibly the source of the virus is the usual one - spammers - since it has mass-mailing capability, and the SCO DOS is just misdirection aimed at the community that has produced so many spam-blocking techniques.

Bruce

Re:Finally!

[firstadopter.com]

Does anyone else realize these viruses only make Anti-virus companies much much richer? Why write something like this to make corporations rich?

RIAA revenge?

[danwiz]

distributes itself via the P2P network Kazaa

What if a virus were written by the RIAA? It could plant itself, activate when it sees a violation, and report the user over the internet.

Similar to the way the FBI operates. Only the FBI (usually) uses warrants.

PFFT

[Anonymous Coward]

I highly doubt a Linux enthusiast would have written this virus. Being one myself, I DESPISE writing windows code when I have to.

It's just so...dirty. Even if it means hurting SCO, I don't want to touch the stuff.

Re:Serves people right..

[jackbird]

These guys [mlaw.org] give awards for this stuff.

I especially like the fishing lure that says 'harmful if swallowed.'

from scoreport.com:

[herrvinny]

Well, as proprietor of some anti-SCO websites, let me weigh in here:

ARE YOU IDIOTS INSANE?

(FYI, I am a college student, U of W @ Madison) I didn't hear about this new virus until now. But at about 4:30 PM today, I get this email from an attractive, intelligent female friend of mine from high school. She goes to Knox College in Illinois. (Let's call her Kristin) The email is listed below in it's entirety, but basically it says watch out for this new virus. So I figure, OK, maybe some stupid Bagle (Beagle, whatever) virus variation has come out, and computer illiterate college students haven't figured out how to push the big Update button on their virus scanners. No biggie.

So late evening, around 6:30 PM, I go to a student government meeting (contrary to published doctrine, some college students actually give a shit about what's happening in the world.) I get back, check /., and what do I see? A virus attacking SCO!

Now, I think everyone here knows I dislike SCO. I own websites that are anti-them (Check my sig, the scolawsuit.com link above, and Litigiousbastards.com linking campaign [litigiousbastards.com]. But this is not the type of publicity we need. This gives SCO more ammunition, when it needs less. Guess what? The public equates viruses like this to terrorism. The average Joe Sixpack will think "Oh, this poor company's getting hurt by terrorism! These gosh darn Linux assholes are terrorists!" Can you say Guantanamo Bay?

If you want to DOS someone, do something constructive like sending an email to a Congressman/woman, donate to Groklaw.

(And yes, I must admit, and in the spirit of fairness, I was laughing out loud when I saw this article)

My friend's letter:

Hey everyone - Just something you might want to be aware of even with the virus protection software that you have. School is going well, and I am really enjoying myself here. I have a lot of work, but I am having fun. I even had a bat in my room, which was interesting. Ok, time to go back and do homework.

Kristin

=Original Message=
From: "M. Sean Riedel"
Date: Mon, 26 Jan 2004 15:59:33 -0600

A new virus, yet to be named, is spreading quickly and has slipped by many AntiVirus applications. If you have received a message with the following parameters, delete it immediately without opening the attachment. You will only become infected if you open the attachment.

The common factor in its profile is that it carries an unsolicited attachment. So far we have seen filenames of "body", "data", "document", "file", "glszfj", "message", "readme", "test", "text", "vgsu042a", and "vncexdl" attached to messages all with either the .pif, .scr, .zip file extensions.

We already ban extensions of .pif or .scr. Until the antivirus companies release the definition files to detect this new virus, we are banning the .zip extension also.

As soon as our vendors update the definition files, we will remove the ban on the .zip extension.

As always, if you receive messages with attachments from anyone you do not know or unexpected attachments from people you do know, don't open them. If the message is from an unknown party, just delete it. If it is from someone you know, verify with that person that the attachment was intended since many viruses will forge the sender.

M. Sean Riedel
Computer Center
Knox College

DDOS active Feb. 1 - 12th.

[Mustang Matt]

Did anyone bother to read the details?

SCO hasn't been attacked yet. It doesn't kick in until Feb 1st and then it doesn't even go for two weeks.

How kind of virus writers to put a time cap on how long it does damage.

Amazing... and just plain wrong.

[Pathway]

When I first heard about this, I had to laugh out loud... "All targeting www.sco.com? Ha!"

Then, the phone rang, and I had my first 2 computers infected on my network. It was 3pm, and it was first discovered at about 1pm. (PST)

This is no laughing matter.

Who ever wrote this was quite the skilled assasin: Works on 95 thru XP machines? Transports by Mail with its own SNMP deamon? Spreads over Kazaa? This is very well planned.

The thought that a Pro-Linux activist did this discusts me. There is no way this can be good for linux's fight against SCO. Hopefully it can be proved to originate from somewhere, because if it comes from a linux user, the linux comunity will damn him. If it comes from anywhere else, then the extra leverage on the SCO vs. Linux suit will be lifted.

Then we have the consperancy therorists: SCO wrote it themselves! Now that's funny... unless it turns out to be true.

I've even heard a guy who claimed that the anti-virus companies' employees write the viruses... eather with the companies' knowledge or not. He claimed that they did this to "keep the demand up for AntiVirus software." Now that's scary.

If I have anybody in the world to blame for this, I'd like to blame the following, who made this possible: 1. Microsoft and their horribly easy to infect OS and mail client. and 2. Kazaa for helping the comunity spread filth.

And SCO: I dissagree with your suit against Linux and Co., but you do not deserve this attack. The rest of the world also does not deserve to help clean up this mess which you are the obvious target.

*Sigh*... I'll be up late getting ready for tomarrow's onslaugt of computers to disinfect.

Pathway

Why would a Linux user do that?

[dtfinch]

SCO will most definitely use the virus as evidence to their argument that all Linux users are criminals. Because you know, of the millions of Linux users out there, after nearly a year of putting up with outright lies, insults, threats, and slander, one person among the countless millions got angry enough to release a virus against SCO. If one out of the millions of Linux users was capable of that, just imagine what the rest of them are capable of. At least that's how any argument from SCO would probably sound to us, except that it begs the natural response "They were running Windows!!!"

Re:This is not a good thing

[Reziac]

I un-UPX'd the virus and looked at the text strings. It struck me as a little odd that those related to email headers are ROT-13'd (no kidding, they really are). I've looked at a lot of email trojans, and this is the first time I've seen that done. Here's a sample:

K-ZFZnvy-Cevbevgl: Abezny
K-Cevbevgl: 3 boundary="%s"
Pbagrag-Glcr: zhygvcneg/zvkrq;
ZVZR-Irefvba: 1.0

unROT-13'd, it becomes:

X-MSMail-Priority: Normal
X-Priority: 3 obhaqnel="%f"
Content-Type: multipart/mixed;
MIME-Version: 1.0

Another ROT-13'd string in the virus:
FZGC Freire Fbsgjner\Zvpebfbsg\Vagrearg Nppbhag Znantre\Nppbhagf
decodes to:
SMTP Server Software\Microsoft\Internet Account Manager\Accounts

Overall, I get the impression that this is a one-shot by someone who isn't normally in the virus creation business, so to speak. It just doesn't "look right".

Anyone who's disassembled it have any comments on how it's constructed??

Re:Finally!

[JuggleGeek]

The Russ Nelson at http://russnelson.com is fairly well known. I would be seriously surprised if he were involved. I think it's much more likely that he's a target, just like the SCO (and in a less direct way, Kazaa.)