Today's Windows Virus - MyDoom / Novarg 847
Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec
and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.
Comment removed (Score:4, Interesting)
It's HUGE (Score:5, Interesting)
At least the MRTG graphs are pretty.
Comment removed (Score:5, Interesting)
uhm. (Score:2, Interesting)
will it show up in the popular press? (Score:2, Interesting)
Any guesses on how botched/one-sided/anti-Linux their explanation will be?
Not that this virus writer is helping things with this stupid thing.......
I really hate you (Score:1, Interesting)
you've cost me, and my team, and my company, more time and energy than i care to note.
guess you forgot all about the people who actually use open source and promote it, cuz you screwed them too.
Re:Finally! (Score:5, Interesting)
http://vil.nai.com/vil/content/v_100983.htm [nai.com]
(Scroll down for the download links to the updates), or the 4319 DAT/SDAT when it becomes available.
I would like to see a study done (Score:5, Interesting)
Wine (Score:2, Interesting)
I was trying to look what these messages were, and I executed the contents via wine.
A Notepad with garbage appeared, then I do a netstat and I saw the control port beeing controled from a wine instance.
So I think it runs on Wine.
I killed the wine instance and the port stopped
listening.
Re:This is not a good thing (Score:2, Interesting)
So really, spam is _yet again_ associated with terrorism.
-DrkShadow
Re:DOS huh? (Score:2, Interesting)
Re:Oh no (Score:3, Interesting)
a.) The fringe Linux zealots are upset enough to do something like that.
b.) An SCO employee, investor, or somebody from IBM isn't going to attract legal attention.
c.) There aren't many people who'd prioritize an attack on SCO over
It'd be moronic for a Linux zealot to not be at the top of the suspects list for what happened here.
Comment removed (Score:5, Interesting)
Interestink pheachure (Score:2, Interesting)
Actually, That's What I Was Wondering... (Score:3, Interesting)
1. Receive mail.
2. Open mail.
3. Double-click attachment. This opens the archive.
4. Double-click the payload inside the attachment, thus executing it.
5. Get infected. Lather, rinse, repeat.
So, in order to get infected, you have to open a suspect file inside a suspect archive inside a suspect e-mail.
And it's spreading like wildfire. I was going to ask "are people really this dumb", but I guess the empirical data available makes that question moot...
-HubCity
Altrok & Altrok Radio [altrok.com]
SCO Makes me mad. (Score:3, Interesting)
I work at a company who has offices all over the world. One of our offices has XO Communications as it's ISP. The same ISP that SCO uses. I often hear one of our network engineers cursing them because the the service is poor and outages are not handled in a timely manner. It's not Hard to DOS them.
Perhaps the virus should have focused on a more useful target, like the law offices that are handling the whole SCO fiaSCO.
repeat after me (Score:4, Interesting)
if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.
if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.
Sure, I can write a fake su or sudo in three lines of bash script. The way beginner Linux distros sudo their way to hell, zillions of users will be affected by this the day Linux gets to the vast unwashed desktop masses.
Are more windows viruses do to hatred? (Score:3, Interesting)
DDoS threat or /. ? (Score:1, Interesting)
Re:Why do people keep clicking... (Score:5, Interesting)
Because clicking on an attachment shouldn't do anything. Only a fascist pig with a read-only mind would think it even a remotely good idea for an email client (note: "email client", as in handles email. The term, "program launcher" isn't expressed or implied anywhere in there) to load and launch an attachment.
There are very narrow cases where it's okay to do something. If its MIME type is text/plain, it's okay to display it. If it's MIME type is text/html, it might be okay to display it (providing you block JavaScript execution). If it's a media file (image/whatever, audio/whatever), then it's probably okay to launch a viewer or display it inline. If it's a compressed archive, it's probably okay to display a listing of its contents (automatically unpacking it is right out). And finally, if it's executable, a warning should be displayed before you allow the user to save -- not launch, save -- the attachment.
Always believe the MIME type. If the filename extension and the MIME type conflict, and you are saddled with an OS designed by orangutans where the three character extension of the filename determines its type, then append to the filename the OS's local extension representing that MIME type before handing off for subsequent interpretation.
Despite how many times The Finest Engineers Working In The Industry have fscked this up, this is not, and never has been, rocket science.
Schwab
Re:ClamAV to the rescue (Score:2, Interesting)
My mail server has been filtering out these messages for the last 24 hours or so. Thousands of e-mails stopped and no end sight.
This was probably done to defame us (Score:5, Interesting)
Bruce
Re:Finally! (Score:1, Interesting)
RIAA revenge? (Score:3, Interesting)
What if a virus were written by the RIAA? It could plant itself, activate when it sees a violation, and report the user over the internet.
Similar to the way the FBI operates. Only the FBI (usually) uses warrants.
PFFT (Score:1, Interesting)
It's just so...dirty. Even if it means hurting SCO, I don't want to touch the stuff.
Re:Serves people right.. (Score:2, Interesting)
I especially like the fishing lure that says 'harmful if swallowed.'
from scoreport.com: (Score:5, Interesting)
ARE YOU IDIOTS INSANE?
(FYI, I am a college student, U of W @ Madison) I didn't hear about this new virus until now. But at about 4:30 PM today, I get this email from an attractive, intelligent female friend of mine from high school. She goes to Knox College in Illinois. (Let's call her Kristin) The email is listed below in it's entirety, but basically it says watch out for this new virus. So I figure, OK, maybe some stupid Bagle (Beagle, whatever) virus variation has come out, and computer illiterate college students haven't figured out how to push the big Update button on their virus scanners. No biggie.
So late evening, around 6:30 PM, I go to a student government meeting (contrary to published doctrine, some college students actually give a shit about what's happening in the world.) I get back, check
Now, I think everyone here knows I dislike SCO. I own websites that are anti-them (Check my sig, the scolawsuit.com link above, and Litigiousbastards.com linking campaign [litigiousbastards.com]. But this is not the type of publicity we need. This gives SCO more ammunition, when it needs less. Guess what? The public equates viruses like this to terrorism. The average Joe Sixpack will think "Oh, this poor company's getting hurt by terrorism! These gosh darn Linux assholes are terrorists!" Can you say Guantanamo Bay?
If you want to DOS someone, do something constructive like sending an email to a Congressman/woman, donate to Groklaw.
(And yes, I must admit, and in the spirit of fairness, I was laughing out loud when I saw this article)
My friend's letter:
Hey everyone - Just something you might want to be aware of even with the virus protection software that you have. School is going well, and I am really enjoying myself here. I have a lot of work, but I am having fun. I even had a bat in my room, which was interesting. Ok, time to go back and do homework.
Kristin
=Original Message=
From: "M. Sean Riedel"
Date: Mon, 26 Jan 2004 15:59:33 -0600
A new virus, yet to be named, is spreading quickly and has slipped by many AntiVirus applications. If you have received a message with the following parameters, delete it immediately without opening the attachment. You will only become infected if you open the attachment.
The common factor in its profile is that it carries an unsolicited attachment. So far we have seen filenames of "body", "data", "document", "file", "glszfj", "message", "readme", "test", "text", "vgsu042a", and "vncexdl" attached to messages all with either the
As always, if you receive messages with attachments from anyone you do not know or unexpected attachments from people you do know, don't open them. If the message is from an unknown party, just delete it. If it is from someone you know, verify with that person that the attachment was intended since many viruses will forge the sender.
M. Sean Riedel
Computer Center
Knox College
DDOS active Feb. 1 - 12th. (Score:5, Interesting)
SCO hasn't been attacked yet. It doesn't kick in until Feb 1st and then it doesn't even go for two weeks.
How kind of virus writers to put a time cap on how long it does damage.
Amazing... and just plain wrong. (Score:3, Interesting)
Then, the phone rang, and I had my first 2 computers infected on my network. It was 3pm, and it was first discovered at about 1pm. (PST)
This is no laughing matter.
Who ever wrote this was quite the skilled assasin: Works on 95 thru XP machines? Transports by Mail with its own SNMP deamon? Spreads over Kazaa? This is very well planned.
The thought that a Pro-Linux activist did this discusts me. There is no way this can be good for linux's fight against SCO. Hopefully it can be proved to originate from somewhere, because if it comes from a linux user, the linux comunity will damn him. If it comes from anywhere else, then the extra leverage on the SCO vs. Linux suit will be lifted.
Then we have the consperancy therorists: SCO wrote it themselves! Now that's funny... unless it turns out to be true.
I've even heard a guy who claimed that the anti-virus companies' employees write the viruses... eather with the companies' knowledge or not. He claimed that they did this to "keep the demand up for AntiVirus software." Now that's scary.
If I have anybody in the world to blame for this, I'd like to blame the following, who made this possible: 1. Microsoft and their horribly easy to infect OS and mail client. and 2. Kazaa for helping the comunity spread filth.
And SCO: I dissagree with your suit against Linux and Co., but you do not deserve this attack. The rest of the world also does not deserve to help clean up this mess which you are the obvious target.
*Sigh*... I'll be up late getting ready for tomarrow's onslaugt of computers to disinfect.
Pathway
Why would a Linux user do that? (Score:3, Interesting)
Re:This is not a good thing (Score:5, Interesting)
K-ZFZnvy-Cevbevgl: Abezny
K-Cevbevgl: 3 boundary="%s"
Pbagrag-Glcr: zhygvcneg/zvkrq;
ZVZR-Irefvba: 1.0
unROT-13'd, it becomes:
X-MSMail-Priority: Normal
X-Priority: 3 obhaqnel="%f"
Content-Type: multipart/mixed;
MIME-Version: 1.0
Another ROT-13'd string in the virus:
FZGC Freire Fbsgjner\Zvpebfbsg\Vagrearg Nppbhag Znantre\Nppbhagf
decodes to:
SMTP Server Software\Microsoft\Internet Account Manager\Accounts
Overall, I get the impression that this is a one-shot by someone who isn't normally in the virus creation business, so to speak. It just doesn't "look right".
Anyone who's disassembled it have any comments on how it's constructed??
Re:Finally! (Score:2, Interesting)