Forgot your password?
typodupeerror
Security Bug Operating Systems Software Windows

Today's Windows Virus - MyDoom / Novarg 847

Posted by timothy
from the are-you-virus-capable dept.
Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.
This discussion has been archived. No new comments can be posted.

Today's Windows Virus - MyDoom / Novarg

Comments Filter:
  • Finally! (Score:5, Funny)

    by someonehasmyname (465543) on Monday January 26, 2004 @08:40PM (#8094762)
    Finally, a worthwhile virus!!
  • by edrugtrader (442064) on Monday January 26, 2004 @08:40PM (#8094770) Homepage
    i just got the patch off of kazaa... sweet jesus, just in the knick of time.

    whew.

    i was scared there for a ss.....[NO CARRIER]
  • DOS huh? (Score:5, Funny)

    by Armethius (718200) <jtunnell@u t k .edu> on Monday January 26, 2004 @08:40PM (#8094772)
    "Second, it can perform a denial-of-service against www.sco.com" Will this be the first virus I willingly load on my machine?
    • Re:DOS huh? (Score:3, Funny)

      by caluml (551744)
      Fair play to SCO - their site is still up, and serving pages. Must be running that excellent Linux operating system. They should get involved with that - maybe they could update their "Unix" with some of it's ideas? Hell, it's open source, so they could just cut and paste.

      Seriously, what's the betting that the author reads Slashdot? High.

    • Re:DOS huh? (Score:3, Insightful)

      by ciroknight (601098)
      People.. seriously. If you want to DDOS SCO, use wget and grab the whole site to /dev/null/. Sure, it's not anything special, but it works, and you dont have to load a virus which massmails and fucks up filesharing..
    • Re:DOS huh? (Score:5, Funny)

      by bsharitt (580506) * <brandon@sDALIharitt.com minus painter> on Monday January 26, 2004 @08:57PM (#8095043) Homepage Journal
      Damn it, they don't make enough Mac compatible viruses.

    • Here's the google cache [216.239.57.104] of the sco site for when the virus takes over.

      SCO, killing orphans and nuns since 1999.
    • Re:DOS huh? (Score:5, Funny)

      by PhxBlue (562201) on Monday January 26, 2004 @09:02PM (#8095117) Homepage Journal

      Will this be the first virus I willingly load on my machine?

      No, it'll be the second. You have to load Windows first.

      • Re:DOS huh? (Score:5, Funny)

        by Nahor (41537) on Monday January 26, 2004 @10:09PM (#8095829)
        It's well known that Windows is not a virus (shamelessly copied from here [slothmud.org])

        1. Viruses are free.
        2. Viruses can be gotten from any good bbs.
        3. If detected soon enough, most viruses can be removed from your computer without a huge loss of data and time.
        4. Viruses don't take up HUGE wads of disk space.
        5. Viruses don't need 4meg of ram to run.
        6. Viruses do something.
        7. Viruses come in flavors, not just one-size-fits-all.
        8. Viruses use the "cutting edge" programming skills to make themselves less noticable. (untill they are ready to be noticed)
        9. Viruses don't have major bugs. (if they do, then they don't work, so they're not virus')
        10. Viruses don't have three different sets of documentation that is all mixed up and wrong.
        11. Viruses don't leak things to the press about the upcomming Jerusalem 95, to keep people from switching to Michelangelo/2 Warp or better yet, XJerusalem.
        12. Viruses don't put out stupid two page adds in magazines centered around the march 6 "activate button".
        13. Viruses arn't on every computer.
        14. Viruses don't have stupid wizards.
        15. Who cares if a virus is 16 bit, even though it is advertised as 32?
        16. Viruses don't say that they are user "friendly", when they arn't.
        17. Viruses can run on PCDOS without warnings.
        18. Viruses when installing themselves don't try to send private info about your computer over the phone lines to microstoned-net.
        19. Viruses install themselves.
        20. Viruses don't try to push out all compitition. They just try to do their job.
        21. Viruses maker's don't try to buy Intuit (makers of Quicken (wouldn't that be fun, America's biggest finacial software company owned by a virus maker))
        22. Viruses don't invade and take over PC Magazine, filling it with 100% junk on Win95.
        23. Viruses don't try to copy what Apple does.
        24. There are programs you can buy, or get free to remove viruses.
  • Great! (Score:3, Funny)

    by Idou (572394) * on Monday January 26, 2004 @08:40PM (#8094774) Journal
    "Second, it can perform a denial-of-service against www.sco.com."

    How do I get it?
    • Re:Great! (Score:5, Funny)

      by nocomment (239368) on Monday January 26, 2004 @08:43PM (#8094822) Homepage Journal
      "Second, it can perform a denial-of-service against www.sco.com."

      Initial investigation on the Snort mailing list, seems to suggest that it opens up 63 threads that request sco's index page once every 300ms.

      I just installed it on all of my servers ;-)
    • Re:Great! (Score:4, Insightful)

      by tigerc (628630) on Monday January 26, 2004 @08:53PM (#8094980)
      "Second, it can perform a denial-of-service against www.sco.com."

      Even though I do not approve of SCO's actions against Linux and the open source movements, the spread of a DOS attack against SCO's website is downright wrong. You should be ashamed of the fact that you place yourself one the side of the people who think it is indeed funny to take a company's site down. Does it really matter if they are a hated group? A DOS attack is just plain wrong. In fact, it might be the lowest form of 'revenge' out there.

      If you continue to support these crackers, then SCO is no longer the big Goliath, and SCO's allegations about the dirty open source movement have some validity. The statement, "hey, it's SCO" proves that we are indeed as worse as McBride. If we want to be victorious in the open source/Linux vs. SCO, then we must hold ourselves higher than supporting DOS attacks against SCO.
  • by Breakfast Pants (323698) on Monday January 26, 2004 @08:40PM (#8094777) Journal
    Who the hell is gonna open a 3kb executable from kazaa?
  • Reuters Story (Score:5, Informative)

    by ThousandStars (556222) on Monday January 26, 2004 @08:40PM (#8094779) Homepage
    Here's another [reuters.co.uk] story.

    Funny that I come to submit the article and already find it at the top of the page...
  • DDOS SCO (Score:5, Funny)

    by forsetti (158019) on Monday January 26, 2004 @08:41PM (#8094789)
    Ok -- which one of you wrote this.....
  • Virus... (Score:5, Funny)

    by pardasaniman (585320) on Monday January 26, 2004 @08:41PM (#8094792) Journal
    Back in my day, viruses came in via the boot-sector of floppy drive. You actually had to know fudge to write one.

    You yung whipper-snapper virus writers and your MS holes got it way too easy.

    On one hand it seems to be written by the RIAA, on the other it looks like some linux loony, can it be both?!
  • idiots. (Score:5, Funny)

    by edrugtrader (442064) on Monday January 26, 2004 @08:42PM (#8094806) Homepage
    5 posts so far, and 3 of them are of the "I WANT TO PARTICIPATE IN A SCO.COM DDOS" variety.

    people... that is illegal and not the way to win the fight.

    i'd say more, but i have to go load that virus on my 3 other laptops.
  • by Tassleman (66753) on Monday January 26, 2004 @08:43PM (#8094823) Homepage
    Second, it can perform a denial-of-service against www.sco.com

    Great. This will give SCO some good PR ammo. Thanks guys.
  • DDoS (Score:5, Insightful)

    by DRUNK_BEAR (645868) on Monday January 26, 2004 @08:45PM (#8094846)
    It's all fun and jokes at first, but if we look at it from the public's eyes, these types of attacks give a bad name to OSS and the Linux community.

    Obviously, SCO has many ennemies. Most of them are probably nix users and the public knows that. If we want to have the public favor OSS, reputation is also important.

    Just my 0.02$

  • by Tyrdium (670229) on Monday January 26, 2004 @08:45PM (#8094849) Homepage
    Think about it. Until now, the Linux community has seemed very innocent over this whole issue. It's simply a matter of a company trying to oppress people for it's own gain (at least in the courts' eye). When people start doing illegal things such as writing viruses to get back at SCO, on the other hand, the Linux community loses much of its innocence. Look beyond the surface; this is a big PR hit for the Linux community. Remember the debate when SCO was DDoSed? This is the same thing, but much worse, and on a larger scale. Writing a virus in itself is illegal, given their nature, and a DDoS is also illegal (I'm not counting Slashdottings and the like).
    • by finkployd (12902) on Monday January 26, 2004 @08:51PM (#8094938) Homepage
      What leads you to believe this is someone from the Linux community? I say it is equally likely someone who hates Linux and wants to make it look bad. Out of work MCSE? SCO employee (assuming they still have people there who can code)? Who knows. Given that this whole SCO mess has been nothing more than a PR war I wouldn't put it past them to have someone do this to improve their image.

      Finkployd
      • What leads you to believe this is someone from the Linux community?

        Doesn't matter, unless they catch the writer and prove it to be something else. As you showed with the SCO conspiracy theory it's the Linux community that is going to catch the flack.
      • by Reziac (43301) on Tuesday January 27, 2004 @03:03AM (#8097519) Homepage Journal
        I un-UPX'd the virus and looked at the text strings. It struck me as a little odd that those related to email headers are ROT-13'd (no kidding, they really are). I've looked at a lot of email trojans, and this is the first time I've seen that done. Here's a sample:

        K-ZFZnvy-Cevbevgl: Abezny
        K-Cevbevgl: 3 boundary="%s"
        Pbagrag-Glcr: zhygvcneg/zvkrq;
        ZVZR-Irefvba: 1.0

        unROT-13'd, it becomes:

        X-MSMail-Priority: Normal
        X-Priority: 3 obhaqnel="%f"
        Content-Type: multipart/mixed;
        MIME-Version: 1.0

        Another ROT-13'd string in the virus:
        FZGC Freire Fbsgjner\Zvpebfbsg\Vagrearg Nppbhag Znantre\Nppbhagf
        decodes to:
        SMTP Server Software\Microsoft\Internet Account Manager\Accounts

        Overall, I get the impression that this is a one-shot by someone who isn't normally in the virus creation business, so to speak. It just doesn't "look right".

        Anyone who's disassembled it have any comments on how it's constructed??

  • ClamAV to the rescue (Score:5, Informative)

    by Jibber (83396) on Monday January 26, 2004 @08:47PM (#8094861) Homepage
    Hi,

    I believe ClamAV was the first virus scanner to pick it up and because they couldn't find any others that had picked it up and named it, they called it "Worm.SCO.A". Gotta like Open Source.

    Oh, and I've blocked over 3000 copies of the worm in the last few hours with clamav.

    Jib
  • It's HUGE (Score:5, Interesting)

    by Leme (303299) <{jboyce} {at} {ci.redding.ca.us}> on Monday January 26, 2004 @08:49PM (#8094894)
    Our virus filtering usually quarantines around 40 messages per hour. Right now we're seeing over 1600 per hour.

    At least the MRTG graphs are pretty.
  • by RY (98479) on Monday January 26, 2004 @08:51PM (#8094927) Homepage Journal
    To show that there are no hard feelings after the virus enterd my work network, I would like to invite the virus writer to play a game of baseball.

    Just show up, I'll brng the bat!!!!!!!
  • by Anonymous Coward on Monday January 26, 2004 @08:51PM (#8094930)
    Unlike some other *cough* commercial virus scanners. If you have your MTA setup properly with clamav (like qmail+qmail-scanner), a simple "freshclam --stdout" will do, then watch the "SCO.A" log messages scroll on by.
  • A threat? Really? (Score:5, Insightful)

    by unfortunateson (527551) on Monday January 26, 2004 @08:52PM (#8094956) Journal
    Let me get this straight:
    1) It has a simple text message plus a binary payload attachment.
    2) It uses no M$ exploits (patched or unpatched) to install itself.
    3) It depends on someone opening the attachment to start an infection.

    And after all this time, people are still clicking on binary attachments? Great googly moogly. At least this sucker is only 20-40K. I'm sick of the 140-160K ones swamping my hotmail account. This one will barely be an annoyance.

    To quote Evil Willow Rosenberg: "Bored now."
  • by Dark Lord Seth (584963) on Monday January 26, 2004 @08:53PM (#8094978) Journal

    Attempt to enter some code into some random OSS project that DoSes www.kernel.org or www.gnu.org or something like that then make a big media spectable out of it. Reveal 'hints' that point to some SCO fanatic inserting the code. On that note, I think SCO is capable of writing a virus to DoS their own site just to get some good PR ammo.

  • Quick to judge (Score:5, Insightful)

    by jmichaelg (148257) on Monday January 26, 2004 @08:53PM (#8094981) Journal
    This topic has barely 30 posts and several posts are already saying it's a Linux user who wrote it. That's a pretty amazing conclusion given the absence of any data.

    Absence of data, hmmm....You guys wouldn't happen to work for sco would you?

  • by theCat (36907) on Monday January 26, 2004 @09:01PM (#8095099) Journal
    that aims to define exactly who it is that is opening email, saving attachments, opening the attachment, running the payload, and is not using AV software. I mean that is a lot of work by someone with at least *some* clue about email. Who is doing this? Is there a profile? Is it generally a home user, or generally at a public school? Is it that there is a subset of people that for their own sick reasons *always* runs infection attachments just to watch the LAN go down so they can go home early? I'm becoming suspicious [tinfoil hat goes on and is pulled down hard]

    • that aims to define exactly who it is that is opening email, saving attachments, opening the attachment, running the payload, and is not using AV software.

      Mac users fit that defintion. Why should they care about attachments, really? There will be, one day, I'm sure, a virus that infects Macs--just as there have been in the past. And that will be a day of reckoning, as millions of Mac users scramble to get virus-smart. But the last 4 years of being virus-free, without any A/V software, and blithely opening attachments has made most Mac users pretty carefree, and careless.
  • by TrentC (11023) on Monday January 26, 2004 @09:02PM (#8095113) Homepage
    To all the people who are busy vaulting onto their high horse, ready to scold the Slashdot community for our apparent complicity in this, don't bother. I get so sick of the holier-than-thou attitudes that people cop when the "Linux community" does something to "make Linux look bad".

    First off, why do you assume that the person who wrote the virus is reading Slashdot?
    Second, how do you know he or she isn't cackling with glee over the froth you guys are working up?
    Third, what exactly the hell am I supposed to do about this virus, given that I didn't write it and most likely don't know the person who did write it? Feel bad for SCO?

    If I were a script kiddie, this is exactly the effect I'd go for; try to piss off Windows users and Linux users all in one shot.

    Face it, the "Linux community" is made up of lots and lots of different people, and it only takes a handful to make life harder for the rest of us. But scolding Slashdot isn't going to do anything other than make yourself feel good.

    Jay (=
  • But..... (Score:4, Insightful)

    by agent dero (680753) on Monday January 26, 2004 @09:05PM (#8095159) Homepage
    Does it run on linu.....

    Oh nevermind
  • by Wee (17189) on Monday January 26, 2004 @09:08PM (#8095196)
    A few people get mail off my personal domain. They're all Windows users. I added this to my .procmailrc file:

    :0 B
    * ^ *Content-Disposition: attachment;
    * filename=".*\.(pif|exe|scr|zip|bat|cmd)"
    /home/wee/mail/virus

    Looks like it works:

    wee@foo:~$ grep 'mail/virus' .procmaillog | wc -l
    21

    Not terribly effcient, but every little bit helps.

    -B

  • by Anonymous Coward on Monday January 26, 2004 @09:15PM (#8095253)
    "W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer."

    From www.sophos.com
  • by shaitand (626655) on Monday January 26, 2004 @09:17PM (#8095267) Journal
    I DO in fact have a paypal account and am willing to accept donations for my contributions to society.

    Send donations to:
    wenNOdoy@SPAMconsolidated.net
  • repeat after me (Score:4, Interesting)

    by Knights who say 'INT (708612) on Monday January 26, 2004 @09:33PM (#8095409) Journal
    if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.

    if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.

    if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.


    Sure, I can write a fake su or sudo in three lines of bash script. The way beginner Linux distros sudo their way to hell, zillions of users will be affected by this the day Linux gets to the vast unwashed desktop masses.

  • by tacokill (531275) on Monday January 26, 2004 @09:58PM (#8095711)
    Alright. Now listen up. Here's the deal....and I'm not accusing anyone...I'm just saying...

    "The worm encrypts most of the strings in it's UPX-packed body with ROT13 method," [f-secure.com]


    I *KNOW* it was one of you fuckers...
  • by ghostis (165022) on Monday January 26, 2004 @10:26PM (#8095996) Homepage
    Well I have my copy! Arrived in my fiancee's inbox this afternoon. She helped me analyze it in Linux over the phone. (She's a biblical scholar when she's not hacking. What's not to love? :) Well we ran strings on it, among other things: it contains a few nuggets:

    o Part way down the strings output there the following:

    (sync.c,v 0.1 2004
    1/xx
    : andy)

    Weird.

    sync.c: I believe is a linux kernel file? Maybe it was written on Linux? Who knows.

    o Further down is:

    notepad %s
    Message

    This is consistent with the notepad screenshot on McAfee.com

    o Then some more weirdness: /abcd
    ghijklm
    pqrstNwxyzg
    ABCDEFGHIJKLMNOPQRSTU VWXYZ

    I guess this cracker knows the alphabet. I am impressed!

    o More funniness:

    Sack_i
    smith[C
    &joe?neo/

    Matrix fan?

    o gold-Pxc

    I guess this is reference to the electronic banking system it attacks

    o Further down:

    USERPROFI

    Going for the registry I see...

    o More sequences

    ASCII
    r=it f
    0aA!0123456789+

    My guess is that the sequences are character food for the random message generator

    o Towards the end:

    Libra

    I guess this hacker is indecisive ;-)

    o Finally, it wraps up with a list of windows dlls and function names.

    -ghostis

    our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted. lameness filter food
  • by skinfitz (564041) on Monday January 26, 2004 @10:27PM (#8095997) Journal
    it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis.

    Cut to the labs of the antivirus companies:

    Sir! The new virus seems to launch a DDoS against sco.com!

    REALLY? Great work! Now .. lets take our time over this.. no need to rush things now is there? I mean - we wouldn't want to make a mistake or anything now would we?

    Take a 2 day lunch.
  • from scoreport.com: (Score:5, Interesting)

    by herrvinny (698679) on Monday January 26, 2004 @11:52PM (#8096632)
    Well, as proprietor of some anti-SCO websites, let me weigh in here:

    ARE YOU IDIOTS INSANE?

    (FYI, I am a college student, U of W @ Madison) I didn't hear about this new virus until now. But at about 4:30 PM today, I get this email from an attractive, intelligent female friend of mine from high school. She goes to Knox College in Illinois. (Let's call her Kristin) The email is listed below in it's entirety, but basically it says watch out for this new virus. So I figure, OK, maybe some stupid Bagle (Beagle, whatever) virus variation has come out, and computer illiterate college students haven't figured out how to push the big Update button on their virus scanners. No biggie.

    So late evening, around 6:30 PM, I go to a student government meeting (contrary to published doctrine, some college students actually give a shit about what's happening in the world.) I get back, check /., and what do I see? A virus attacking SCO!

    Now, I think everyone here knows I dislike SCO. I own websites that are anti-them (Check my sig, the scolawsuit.com link above, and Litigiousbastards.com linking campaign [litigiousbastards.com]. But this is not the type of publicity we need. This gives SCO more ammunition, when it needs less. Guess what? The public equates viruses like this to terrorism. The average Joe Sixpack will think "Oh, this poor company's getting hurt by terrorism! These gosh darn Linux assholes are terrorists!" Can you say Guantanamo Bay?

    If you want to DOS someone, do something constructive like sending an email to a Congressman/woman, donate to Groklaw.

    (And yes, I must admit, and in the spirit of fairness, I was laughing out loud when I saw this article)

    My friend's letter:

    Hey everyone - Just something you might want to be aware of even with the virus protection software that you have. School is going well, and I am really enjoying myself here. I have a lot of work, but I am having fun. I even had a bat in my room, which was interesting. Ok, time to go back and do homework.

    Kristin

    =Original Message=
    From: "M. Sean Riedel"
    Date: Mon, 26 Jan 2004 15:59:33 -0600

    A new virus, yet to be named, is spreading quickly and has slipped by many AntiVirus applications. If you have received a message with the following parameters, delete it immediately without opening the attachment. You will only become infected if you open the attachment.

    The common factor in its profile is that it carries an unsolicited attachment. So far we have seen filenames of "body", "data", "document", "file", "glszfj", "message", "readme", "test", "text", "vgsu042a", and "vncexdl" attached to messages all with either the .pif, .scr, .zip file extensions.

    We already ban extensions of .pif or .scr. Until the antivirus companies release the definition files to detect this new virus, we are banning the .zip extension also.
    As soon as our vendors update the definition files, we will remove the ban on the .zip extension.

    As always, if you receive messages with attachments from anyone you do not know or unexpected attachments from people you do know, don't open them. If the message is from an unknown party, just delete it. If it is from someone you know, verify with that person that the attachment was intended since many viruses will forge the sender.

    M. Sean Riedel
    Computer Center
    Knox College


  • by Mustang Matt (133426) on Tuesday January 27, 2004 @12:50AM (#8096928)
    Did anyone bother to read the details?

    SCO hasn't been attacked yet. It doesn't kick in until Feb 1st and then it doesn't even go for two weeks.

    How kind of virus writers to put a time cap on how long it does damage.

Possessions increase to fill the space available for their storage. -- Ryan

Working...