New Computer Virus Hits High Outbreak Level

[george]

MyDoom virus hammering Windows systems

NEWS BRIEF: New virus hits high outbreak level

A new virus, W32/Mydoom@MM, also known as Mydoom, made its appearance on Monday, and quickly earned itself a high outbreak assessment from Network Associates’ McAfee AVERT (Anti-Virus and Vulnerability Emergency Response Team).

“AVERT says its receiving a very large number of samples from corporate and home users alike,” said Jack Sebbag, Canadian General Manager and Vice President of Network Associates. “That’s why it’s been raised from medium to high. The infection is spreading at a very rapid rate.”

Mydoom is a mass mailer, which won’t delete files, and it requires you to click proactively on the attachment, which isn’t even disguised in a particularly cunning fashion. But Sebbag noted that there always seem to be people with too much time on their hands who manage to trigger the virus.

There doesn’t seem to be a clear pattern in the subject lines or text, It arrives in an email message as follows:

From: (spoofed)

Subject: (Random)

Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attachment: (varies [.exe, .pif, .cmd, .scr]. It often arrives in a ZIP archive. The icon used by the file tries to make it appear as if the attachment is a text file. The one thing that is constant, Sebbag said, is its size, 22,528 bytes.

When this file is run it copies itself to the local system with the following filenames:

c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr

c:\WINDOWS\Desktop\Document.scr

c:\WINDOWS\SYSTEM\taskmon.exe

It also uses a DLL that it creates in the Windows System directory:

c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes)

It creates the following registry entry to hook Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_ CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe

The worm opens a connection on TCP port 3127, suggesting remote access capabilities.

“It may have keystroke logging attached to it to let someone take over your OS,” Sebbag said. “It does have that capability

Upon executing the virus, Notepad is opened, filled with nonsense characters. The file will try to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.

--Agencies 2004-01-27

SECOND UPDATE

A new Windows virus, called MyDoom (officially, W32/Mydoom@MM) and circulating in the form of a 32K Zip file, began hitting corporate and private e-mail boxes Monday at about 1 p.m. Pacific Standard Time. It masquerades as a Kazaa P2P component and tries to embed itself in the Kazaa shared folder for music and other file-swapping.

The virus, also known as Novarg and Shimgapi, apparently affects only Windows 95 systems and later. Macintosh, Linux, UNIX, Windows 3.X, DOS, and OS/2 systems are not affected.

It was quickly spreading Monday through email and the Kazaa network, the latter of which averages anywhere from 2 million to 5 million users at any given time.

F-Secure, an Internet security software maker based in Finland, came out with a detailed report later Monday afternoon in which it said "the worm opens Notepad with garbage data in it. It also attacks SCO.com with a DDoS-attack."

As of 5:15 p.m. PST, the SCO Group's Web site was up and running despite the threat.

"In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses," Network Associates vice-president Vincent Gullotto told C/net. Network Associates is the maker of McAfee Security antivirus software.

Once the virus is embedded in a computer, it installs a program that allows the computer to be controlled remotely. The PC then starts sending data to the SCO Group's Web server, a Symantec spokesman told C/net. Cupertino, Calif.-based Symantec also published a detailed report.

McAfee posted one of the first analyses of the worm Monday afternoon. The virus package, which contains an infected .pif, .scr, .exe, or .cmd file, is sent from spoofed email addresses. Early on it usurped the names of familiar IT-related sites, including NewsForge.com, The Street.com, PCMag.com, Circuitnet.com, AOL.com, FoxNews.com, BEA.com, and Yahoo.com. The virus takes addresses from an infected machine's Outlook address book.

Some of the infected files come disguised as "Mail Delivery System" messages, or error messages. Often there are no headers on them or type in the message field.

The icon used by the file tries to make it appear as if the attachment is a text file, McAfee says in its description. When the file is run, it copies itself into the computer registry to hook the computer startup. From there it creates a DLL in the Windows system directory and opens a connection on TCP port 3127, suggesting remote access capabilities, McAfee said.

Upon executing the virus, Notepad is opened, filled with nonsense characters. Security experts continue to examine the package.

[Guest IT Manager]

By 10.00 AM this morning (Tuesday), we had seen over 800 strikes on our e-mail server.

I set to delete all zip files, then advised staff to let their clients know all zips would be removed until further notice.

Still straggling in now but it sure was awild start to the day. One customer was complaining he couldn't open hotmail. Seems no-one could.

[fat_bald_farang]

yes we got hit too. what the world needs now is protection protection...

please remove those chickens from the room, they might sneeze on us..!

fat man

[george]

FYI: The worm will perform a Denial of Service (DoS) starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004.

[huski]

eEye Offers Free Scanning Tool to Detect Email Virus Infection

eEye® Digital Security released a free scanning tool to detect the MyDoom email virus. This virus, which has propagated quickly, could significantly impact network services worldwide.

Systems Affected

All current versions of Microsoft Windows 95, 98, ME, NT, 2000, and XP.

Potential Impact

This mass-mailing virus targets from a list of email subjects, message bodies, and attachment file names. The virus, once executed, spoofs the sender name of its messages so that they appear to have been sent by different users instead of the actual users of the infected machines. Upon infecting a computer, the worm will set up a backdoor into the system by opening a TCP port (port 3127 or next available up to 3198), which could allow an attacker to connect to the computer and gain access to its network resources. The backdoor could also allow for the upload and execution of arbitrary files.

Severity Rating: Critical

According to MessageLabs Inc., which scans email for viruses, during the peak infection rate one in every twelve messages sent over the Internet contained the virus, called "MyDoom" or "Novarg". Because of the enormity of this mass email infection, every Windows machine that possesses email capability is vulnerable.

Combating This Virus

Please use an antivirus tool of your choice. The most effective way to identify affected systems is to scan using eEye’s Retina Network Security Scanner, or the free Retina MyDoom scanning utility, which was made available today at:

Retina MyDoom scanning utility

[george]

Worm `launches itself when email opened'

The Mydoom.B computer virus proliferated by users opening e-mail, even if they left attachments closed, making it more virulent than its predecessors, according to Finnish anti-virus firm F-Secure official Mikko Hyppoenen.

``Some variants of the Mydoom.B version will run automatically from the e-mail,'' he said yesterday. ``It's enough to just open and read the mail.''

Its predecessor, MyDoom, has likewise continued its spread across the Internet, clogging up e-mail traffic and reducing productivity, experts warned.

Computer security companies warned people not to open any suspicious attachments in official-looking e-mail messages.

Since appearing earlier this week, the worm, also dubbed Novarg or Shimgapi, has infected computers across the globe by enticing users to open a file attachment which releases a program potentially allowing other attackers to gain unauthorised access.

Computer security vendor Symantec said attackers were already trolling the Web for infected computers so they could be used to launch new attacks.

One tactic would be to use spam to spread the virus, experts said.

--Agencies

[sabaijai]

``Some variants of the Mydoom.B version will run automatically from the e-mail,'' he said yesterday. ``It's enough to just open and read the mail.''

That probably only applies to people using Outlook Express, with the preview feature turned on. Users with email programs such as Eudora should be OK, especially if they rename the folder to which attachments go.

[huski]

That probably only applies to people using Outlook Express, with the preview feature turned on.

Outlook Express and regular Outlook are both vulnerable, there are security settings under options to easily restrict it and other nasty shit. i use both email programs, outlook restricted all the way, set with security turned up full to filtering out the spam and outlook express with a different email address if someone wants to send an attachment eudora depending on your version can be spread eagled but I shouldn't mention too much as this is not a security forum.