Today's Windows Virus - MyDoom / Novarg 847
Oddster writes "There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec
and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.
Finally! (Score:5, Funny)
Re:Finally! (Score:5, Funny)
Re:Finally! (Score:4, Funny)
Re:Finally! (Score:5, Funny)
---Note to John Ashcroft: the above was a joke.
Re:Finally! (Score:4, Insightful)
I thought something like 'ooh' when I read it spreads by kazaa too. I thought maybe it was connecting to the fasttrack network and being a fake kazaa node, but, it just seems to be copying itself to the default kazaa shared folder - so it will only spread via kazaa if you actually use kazaa.
Re:Finally! (Score:4, Informative)
Re:Finally! (Score:4, Funny)
Re:Finally! (Score:5, Funny)
Re:Finally! (Score:5, Interesting)
http://vil.nai.com/vil/content/v_100983.htm [nai.com]
(Scroll down for the download links to the updates), or the 4319 DAT/SDAT when it becomes available.
Re:Finally! (Score:5, Funny)
The last time someone told me I needed the latest virus patch I got into a shit load of trouble.
And they were from Microsoft.
You think I'm going to believe you. I hit that link and my soul belongs to some Romanian gangster.
I'm not that stupid.
Re:Finally! (Score:5, Funny)
In case the site gets
---
Re:Finally! (Score:5, Funny)
It might be usefull to SCO (Score:5, Insightful)
SCO just started yet another lawsuit, this time with Novell. Now the financial types could be recalculating how many quarters until SCO runs out of cash and has to cease operations. Let's not let them get distracted by stupid email tricks.
I just think it's funny... (Score:4, Insightful)
Hell, my Outlook won't even let those attachments through to begin with. "BUT IT'S A WINDOWS VIRUS!!1"
Comment removed (Score:5, Interesting)
Re:Finally! (Score:5, Funny)
I think www.sco.com as we know it will probably have traffic from this virus FOREVER.
Which they will promptly PR-spin into a positive thing - "We are getting THOUSANDS of licensing inquiries EACH DAY!!" or "Our website has become one of the most POPULAR on the internet, obviously customers are very satisfied!"
Re:Finally! (Score:5, Funny)
Re:Finally! (Score:5, Insightful)
Re:Finally! (Score:5, Funny)
As far as I can tell, this virus is not licensed under the GPL, and I can't find the source for it anywhere...
Re:How does this make open source look bad again? (Score:5, Insightful)
Darl will say Linux supporters must have done it, and the media will quote him, and clueless people will read it and associate whoever did it with us. So while we know it wasn't "one of us" and we don't support it (except in jest), people will read otherwise. We unfortunately don't get to choose who the public associates us with.
off-topic note (Score:4, Funny)
i'm not scared... (Score:5, Funny)
whew.
i was scared there for a ss.....[NO CARRIER]
This was probably done to defame us (Score:5, Interesting)
Bruce
Re:This was probably done to defame us (Score:5, Informative)
Try reading at -1 every once in a while.
DOS huh? (Score:5, Funny)
Re:DOS huh? (Score:3, Funny)
Seriously, what's the betting that the author reads Slashdot? High.
Re:DOS huh? (Score:5, Insightful)
Also, does the virus target by IP address, or does it do a full DNS lookup? If it's just IP, it will be easy for them to change the www record, and the servers address. 60 seconds later, everyone apart from the virus will be able to access the site.
Re:DOS huh? (Score:3, Insightful)
Re:DOS huh? (Score:5, Funny)
Re:DOS huh? (Score:5, Funny)
Re:DOS huh? - karma whoring (Score:3, Funny)
SCO, killing orphans and nuns since 1999.
Re:DOS huh? (Score:5, Funny)
Will this be the first virus I willingly load on my machine?
No, it'll be the second. You have to load Windows first.
Re:DOS huh? (Score:5, Funny)
1. Viruses are free.
2. Viruses can be gotten from any good bbs.
3. If detected soon enough, most viruses can be removed from your computer without a huge loss of data and time.
4. Viruses don't take up HUGE wads of disk space.
5. Viruses don't need 4meg of ram to run.
6. Viruses do something.
7. Viruses come in flavors, not just one-size-fits-all.
8. Viruses use the "cutting edge" programming skills to make themselves less noticable. (untill they are ready to be noticed)
9. Viruses don't have major bugs. (if they do, then they don't work, so they're not virus')
10. Viruses don't have three different sets of documentation that is all mixed up and wrong.
11. Viruses don't leak things to the press about the upcomming Jerusalem 95, to keep people from switching to Michelangelo/2 Warp or better yet, XJerusalem.
12. Viruses don't put out stupid two page adds in magazines centered around the march 6 "activate button".
13. Viruses arn't on every computer.
14. Viruses don't have stupid wizards.
15. Who cares if a virus is 16 bit, even though it is advertised as 32?
16. Viruses don't say that they are user "friendly", when they arn't.
17. Viruses can run on PCDOS without warnings.
18. Viruses when installing themselves don't try to send private info about your computer over the phone lines to microstoned-net.
19. Viruses install themselves.
20. Viruses don't try to push out all compitition. They just try to do their job.
21. Viruses maker's don't try to buy Intuit (makers of Quicken (wouldn't that be fun, America's biggest finacial software company owned by a virus maker))
22. Viruses don't invade and take over PC Magazine, filling it with 100% junk on Win95.
23. Viruses don't try to copy what Apple does.
24. There are programs you can buy, or get free to remove viruses.
Great! (Score:3, Funny)
How do I get it?
Re:Great! (Score:5, Funny)
Initial investigation on the Snort mailing list, seems to suggest that it opens up 63 threads that request sco's index page once every 300ms.
I just installed it on all of my servers
Re:Great! (Score:4, Insightful)
Even though I do not approve of SCO's actions against Linux and the open source movements, the spread of a DOS attack against SCO's website is downright wrong. You should be ashamed of the fact that you place yourself one the side of the people who think it is indeed funny to take a company's site down. Does it really matter if they are a hated group? A DOS attack is just plain wrong. In fact, it might be the lowest form of 'revenge' out there.
If you continue to support these crackers, then SCO is no longer the big Goliath, and SCO's allegations about the dirty open source movement have some validity. The statement, "hey, it's SCO" proves that we are indeed as worse as McBride. If we want to be victorious in the open source/Linux vs. SCO, then we must hold ourselves higher than supporting DOS attacks against SCO.
Serves people right.. (Score:5, Funny)
Re:Serves people right.. (Score:5, Insightful)
Re:Serves people right.. (Score:5, Funny)
Re:Serves people right.. (Score:5, Funny)
I think perhaps the kind of people who would do that do not or cannot read the instruction book anyway but until you realize that you can feel a little unempowered.
Re:Serves people right.. (Score:5, Informative)
The same idiots who install it.
Kazaa is not secure. It installs spyware that monitors keyboard activity. If you type an email address on a PC that has Kazaa, that address will be spammed into oblivion. Webshots does the same thing. Not directly, but through one of many third party applications that are installed silently.
Re:Serves people right.. (Score:5, Funny)
Reuters Story (Score:5, Informative)
Funny that I come to submit the article and already find it at the top of the page...
DDOS SCO (Score:5, Funny)
Re:DDOS SCO (Score:4, Informative)
Nobody from here - we would have just done it with a perl script or some javascript embedded in an html emails' <body onload="melt_the_litigious_bastards_servers()"> tag. .... now let's see...
Hmmm
Re:DDOS SCO (Score:4, Insightful)
Virus... (Score:5, Funny)
You yung whipper-snapper virus writers and your MS holes got it way too easy.
On one hand it seems to be written by the RIAA, on the other it looks like some linux loony, can it be both?!
Re:Virus... (Score:5, Funny)
In my day we had to throw various insects into giant mainframe machines
Re:Virus... (Score:5, Funny)
Re:Virus... (Score:4, Funny)
In in my day, single-cell organisms floated about in the primordial ooze, dreaming of the abacus, and hoping to even spot a loose piece of RNA, much less contact it.
And you try to explain *that* to the youth of today...
Re:Virus... (Score:5, Informative)
idiots. (Score:5, Funny)
people... that is illegal and not the way to win the fight.
i'd say more, but i have to go load that virus on my 3 other laptops.
Re:idiots. (Score:5, Funny)
Re:idiots. (Score:3, Funny)
Oops. I think I hear SCO lawyers slithering out back...
=Smidge=
Re:idiots. (Score:4, Funny)
Tell that to SCO
--
In London? Need a Physics Tutor? [colingregorypalmer.net]
American Weblog in London [colingregorypalmer.net]
This should make us look very professional. (Score:5, Insightful)
Great. This will give SCO some good PR ammo. Thanks guys.
DDoS (Score:5, Insightful)
Obviously, SCO has many ennemies. Most of them are probably nix users and the public knows that. If we want to have the public favor OSS, reputation is also important.
Just my 0.02$
Why? (Score:4, Funny)
This is not a good thing (Score:5, Insightful)
Comment removed (Score:5, Interesting)
Re:This is not a good thing (Score:3, Insightful)
Doesn't matter, unless they catch the writer and prove it to be something else. As you showed with the SCO conspiracy theory it's the Linux community that is going to catch the flack.
Re:This is not a good thing (Score:5, Interesting)
K-ZFZnvy-Cevbevgl: Abezny
K-Cevbevgl: 3 boundary="%s"
Pbagrag-Glcr: zhygvcneg/zvkrq;
ZVZR-Irefvba: 1.0
unROT-13'd, it becomes:
X-MSMail-Priority: Normal
X-Priority: 3 obhaqnel="%f"
Content-Type: multipart/mixed;
MIME-Version: 1.0
Another ROT-13'd string in the virus:
FZGC Freire Fbsgjner\Zvpebfbsg\Vagrearg Nppbhag Znantre\Nppbhagf
decodes to:
SMTP Server Software\Microsoft\Internet Account Manager\Accounts
Overall, I get the impression that this is a one-shot by someone who isn't normally in the virus creation business, so to speak. It just doesn't "look right".
Anyone who's disassembled it have any comments on how it's constructed??
ClamAV to the rescue (Score:5, Informative)
I believe ClamAV was the first virus scanner to pick it up and because they couldn't find any others that had picked it up and named it, they called it "Worm.SCO.A". Gotta like Open Source.
Oh, and I've blocked over 3000 copies of the worm in the last few hours with clamav.
Jib
Re: not hard to beat Norton anyway.... (Score:5, Insightful)
I've removed a *bunch* of back-door trojan horse programs (MovieWorld and so forth) from Windows PCs that were running Norton AntiVirus 2003 with all the latest signature updates being "Live Updated". The freeware AVG Anti-Virus personal edition found them, as did a relatively unknown scanner called Avast.
Why is it people have to pay $30+ per year for a subscription renewal for a big-name, commercial scanner that can't even find things the freeware packages find and remove?
It's HUGE (Score:5, Interesting)
At least the MRTG graphs are pretty.
Looking for the virus writer (Score:5, Funny)
Just show up, I'll brng the bat!!!!!!!
ClamAV already has updated definitions. (Score:4, Informative)
A threat? Really? (Score:5, Insightful)
1) It has a simple text message plus a binary payload attachment.
2) It uses no M$ exploits (patched or unpatched) to install itself.
3) It depends on someone opening the attachment to start an infection.
And after all this time, people are still clicking on binary attachments? Great googly moogly. At least this sucker is only 20-40K. I'm sick of the 140-160K ones swamping my hotmail account. This one will barely be an annoyance.
To quote Evil Willow Rosenberg: "Bored now."
Re:A threat? Really? (Score:4, Insightful)
Re:A threat? Really? (Score:5, Informative)
The first one I got looked like a bounce message, with text saying there were some non-7bit characters so the full message would be in an attachment.
The payload inside the
Believe it or not, there are mailers in the Windows world that send bounces with the original message as an attachment. This worm could easily fool someone who wasn't technical or wasn't paranoid.
Pro SCO PR? Do some counter PR (Score:3, Funny)
Attempt to enter some code into some random OSS project that DoSes www.kernel.org or www.gnu.org or something like that then make a big media spectable out of it. Reveal 'hints' that point to some SCO fanatic inserting the code. On that note, I think SCO is capable of writing a virus to DoS their own site just to get some good PR ammo.
Quick to judge (Score:5, Insightful)
Absence of data, hmmm....You guys wouldn't happen to work for sco would you?
I would like to see a study done (Score:5, Interesting)
Re:I would like to see a study done (Score:5, Insightful)
that aims to define exactly who it is that is opening email, saving attachments, opening the attachment, running the payload, and is not using AV software.
Mac users fit that defintion. Why should they care about attachments, really? There will be, one day, I'm sure, a virus that infects Macs--just as there have been in the past. And that will be a day of reckoning, as millions of Mac users scramble to get virus-smart. But the last 4 years of being virus-free, without any A/V software, and blithely opening attachments has made most Mac users pretty carefree, and careless.
Re:Mom (Score:5, Insightful)
Then you're obviously failing to communicate to your mother the gravity of the situation. In all the years my mother used a Windows machine her computer did not have one virus. The rules are very simple. I also have no trouble at the office. With the exception of the H.R. guy who must open attachments (primarily Word documents) in order to read people's resumes it's been a long time since we had any viruses running on any machines in the Hampton office. Furthermore, through a mistake either my boss or I had made we hadn't set his machine to update virus definitions automatically so I give the H.R. guy a lot of credit for having avoided viruses without it.
It certainly doesn't hurt to have a Symantec Anti-Virus Corporate Edition and to be running Novell GroupWise instead of Microsoft Outlook^WOutbreak but it's not the end-all of virus protection either. Proper user education is an important part of running a network. I keep the users at the office informed about how viruses work and how they propagate. I let them know that I've done all I can and that it's up to them to use their good judgement. I remind them that message headers are just as easily forgeable as the return address on an envelope.
It's worth the time. I'm not saying I just wrote one message and all viruses were gone. I wrote several. I talked face to face with people in the office about it. I ask them what they think about viruses and spam. I give them the information they need to make informed decisions. In the end, it makes my life a lot easier.
The simple problem is that people don't know unless you tell them. They only hear what Tom Brokaw or Katie Couric tells them. Tell them how it really works and they will understand and try their best. A few will slip up. Don't be mad at them, just explain things again so they understand.
The only case where this won't work is if you have a high employee turnover. If you do then let your boss know that viruses are simply another cost of high employee turnover. If you do that then he will have the information he needs to make an informed business decision. Maybe he'll decide it's worth taking some measures to keep people around. Put it in terms of dollars. Do whatever it takes but viruses can become a thing of the past if more companies started to do this.
Trolling /. with viruses? (Score:5, Insightful)
First off, why do you assume that the person who wrote the virus is reading Slashdot?
Second, how do you know he or she isn't cackling with glee over the froth you guys are working up?
Third, what exactly the hell am I supposed to do about this virus, given that I didn't write it and most likely don't know the person who did write it? Feel bad for SCO?
If I were a script kiddie, this is exactly the effect I'd go for; try to piss off Windows users and Linux users all in one shot.
Face it, the "Linux community" is made up of lots and lots of different people, and it only takes a handful to make life harder for the rest of us. But scolding Slashdot isn't going to do anything other than make yourself feel good.
Jay (=
But..... (Score:4, Insightful)
Oh nevermind
Procmail to the rescue (Score:4, Informative)
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr|zip|bat|cmd)"
Looks like it works:
wee@foo:~$ grep 'mail/virus' .procmaillog | wc -l
21
Not terribly effcient, but every little bit helps.
-B
Also breaches security (Score:3, Informative)
From www.sophos.com
Just thought I'd throw in a stray comment... (Score:4, Funny)
Send donations to:
wenNOdoy@SPAMconsolidated.net
repeat after me (Score:4, Interesting)
if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.
if you install potentially malicious software from unknown sources, you're bound to end up with a broken system. this is not a flaw in the OS.
Sure, I can write a fake su or sudo in three lines of bash script. The way beginner Linux distros sudo their way to hell, zillions of users will be affected by this the day Linux gets to the vast unwashed desktop masses.
the giveaway (Score:5, Funny)
"The worm encrypts most of the strings in it's UPX-packed body with ROT13 method," [f-secure.com]
I *KNOW* it was one of you fuckers...
Funny things on the inside (Score:5, Informative)
o Part way down the strings output there the following:
(sync.c,v 0.1 2004
1/xx
: andy)
Weird.
sync.c: I believe is a linux kernel file? Maybe it was written on Linux? Who knows.
o Further down is:
notepad %s
Message
This is consistent with the notepad screenshot on McAfee.com
o Then some more weirdness:
ghijklm
pqrstNwxyzg
ABCDEFGHIJKLMNOPQRST
I guess this cracker knows the alphabet. I am impressed!
o More funniness:
Sack_i
smith[C
&joe?neo/
Matrix fan?
o gold-Pxc
I guess this is reference to the electronic banking system it attacks
o Further down:
USERPROFI
Going for the registry I see...
o More sequences
ASCII
r=it f
0aA!0123456789+
My guess is that the sequences are character food for the random message generator
o Towards the end:
Libra
I guess this hacker is indecisive
o Finally, it wraps up with a list of windows dlls and function names.
-ghostis
our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.our comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted. lameness filter food
How I imagine things (Score:5, Funny)
Cut to the labs of the antivirus companies:
Sir! The new virus seems to launch a DDoS against sco.com!
REALLY? Great work! Now
Take a 2 day lunch.
from scoreport.com: (Score:5, Interesting)
ARE YOU IDIOTS INSANE?
(FYI, I am a college student, U of W @ Madison) I didn't hear about this new virus until now. But at about 4:30 PM today, I get this email from an attractive, intelligent female friend of mine from high school. She goes to Knox College in Illinois. (Let's call her Kristin) The email is listed below in it's entirety, but basically it says watch out for this new virus. So I figure, OK, maybe some stupid Bagle (Beagle, whatever) virus variation has come out, and computer illiterate college students haven't figured out how to push the big Update button on their virus scanners. No biggie.
So late evening, around 6:30 PM, I go to a student government meeting (contrary to published doctrine, some college students actually give a shit about what's happening in the world.) I get back, check
Now, I think everyone here knows I dislike SCO. I own websites that are anti-them (Check my sig, the scolawsuit.com link above, and Litigiousbastards.com linking campaign [litigiousbastards.com]. But this is not the type of publicity we need. This gives SCO more ammunition, when it needs less. Guess what? The public equates viruses like this to terrorism. The average Joe Sixpack will think "Oh, this poor company's getting hurt by terrorism! These gosh darn Linux assholes are terrorists!" Can you say Guantanamo Bay?
If you want to DOS someone, do something constructive like sending an email to a Congressman/woman, donate to Groklaw.
(And yes, I must admit, and in the spirit of fairness, I was laughing out loud when I saw this article)
My friend's letter:
Hey everyone - Just something you might want to be aware of even with the virus protection software that you have. School is going well, and I am really enjoying myself here. I have a lot of work, but I am having fun. I even had a bat in my room, which was interesting. Ok, time to go back and do homework.
Kristin
=Original Message=
From: "M. Sean Riedel"
Date: Mon, 26 Jan 2004 15:59:33 -0600
A new virus, yet to be named, is spreading quickly and has slipped by many AntiVirus applications. If you have received a message with the following parameters, delete it immediately without opening the attachment. You will only become infected if you open the attachment.
The common factor in its profile is that it carries an unsolicited attachment. So far we have seen filenames of "body", "data", "document", "file", "glszfj", "message", "readme", "test", "text", "vgsu042a", and "vncexdl" attached to messages all with either the
As always, if you receive messages with attachments from anyone you do not know or unexpected attachments from people you do know, don't open them. If the message is from an unknown party, just delete it. If it is from someone you know, verify with that person that the attachment was intended since many viruses will forge the sender.
M. Sean Riedel
Computer Center
Knox College
DDOS active Feb. 1 - 12th. (Score:5, Interesting)
SCO hasn't been attacked yet. It doesn't kick in until Feb 1st and then it doesn't even go for two weeks.
How kind of virus writers to put a time cap on how long it does damage.
Re:Dark Side of Linux Developers (Score:3, Insightful)
What goes on?
http://www.cert.org/advisories/CA-2003-21.html
http://news
http://www.trusecure.com/kno
I see a pattern forming and it ain't pretty.
Comment removed (Score:4, Interesting)
Re:Dark Side of Linux Developers (Score:4, Informative)
Linux in Air Traffic Control [linuxjournal.com]
Re:Oh no (Score:5, Insightful)
Why on earth would you assume that it would be some fringe Linux zealot? It could be a pissed off SCO employee, an investor, someone from IBM, any number of UNIX developers. SCO pissed off a lot of people and you don't actually HAVE to use Linux or even care about it to be smart enough to exploit a dumbass Windows user's gullibility.
The only thing more blatantly paranoid than YOUR comment would be to say that Darl himself wrote and released it to make people like you say things like that. Except, Darl is a meathead and I doubt he can spell his own name, so I doubt he wrote it.
Re:Oh no (Score:3, Interesting)
a.) The fringe Linux zealots are upset enough to do something like that.
b.) An SCO employee, investor, or somebody from IBM isn't going to attract legal attention.
c.) There aren't many people who'd prioritize an attack on SCO over
It'd be moronic for a Linux zealot to not be at the top of the suspects list f
Re:Oh no (Score:5, Insightful)
I'm not so sure, this was obviously done by a WINDOWS hacker. Most of the Linux hackers I know have no freaking idea about MS Windows internals and they honestly don't even care for that sort of "knowledge".
Re:Oh no (Score:5, Funny)
No, he doesn't; it's a Windows virus, not a Linux virus.
Windows == terrorism
Proof that Windows is a danger to national and economic security.
Re:SCO is down (Score:5, Funny)
Re:Bad example... (Score:3, Funny)
So who has the motivation? People who've shorted SCO stock and need it to fall, so they can cover their position. People who've invested in SCO and need a reason to sell off without explaining that they bought into something stupid. Not us.
Re:Bad example... (Score:5, Funny)
Humour aside, if that was the intention of the virus, it should bring down the SCO email server (mail.sco.com) as well as www.sco.com. This would hurt sales and cause a major inconvenience.
SCO's lawyers are probably 'creating' a lawsuit as we speak - claiming the portions of the virus are SCO IP. (Which is just as believable as Linux containing SCO's code.)
SCO could also have written the virus - to hurt the image of their competition.
Re:Also arrives as a zipped executable! (Score:5, Funny)
Then you unzip it.
Then you execute it.
Why do the virus writers even bother writing code? If people are willing to do all that, it sounds like the next virus will consist solely of the text:
"Pick a friend at random. Go over to his house and bash his computer with a sledge hammer."
Re:Why do people keep clicking... (Score:5, Interesting)
Because clicking on an attachment shouldn't do anything. Only a fascist pig with a read-only mind would think it even a remotely good idea for an email client (note: "email client", as in handles email. The term, "program launcher" isn't expressed or implied anywhere in there) to load and launch an attachment.
There are very narrow cases where it's okay to do something. If its MIME type is text/plain, it's okay to display it. If it's MIME type is text/html, it might be okay to display it (providing you block JavaScript execution). If it's a media file (image/whatever, audio/whatever), then it's probably okay to launch a viewer or display it inline. If it's a compressed archive, it's probably okay to display a listing of its contents (automatically unpacking it is right out). And finally, if it's executable, a warning should be displayed before you allow the user to save -- not launch, save -- the attachment.
Always believe the MIME type. If the filename extension and the MIME type conflict, and you are saddled with an OS designed by orangutans where the three character extension of the filename determines its type, then append to the filename the OS's local extension representing that MIME type before handing off for subsequent interpretation.
Despite how many times The Finest Engineers Working In The Industry have fscked this up, this is not, and never has been, rocket science.
Schwab
Working (and selective) procmail recipe (Score:4, Informative)
* ^ *Content-Disposition: attachment;
* filename="(message|body|document|doc|data|readme|
Re:Call me stupid, but... (Score:4, Informative)