Virus Alert: Threat Level - High

[Glen Millar]

This is a copy of a email we sent to all of our Hosting clients today

<div class='quotetop'>QUOTE</div><div class='quotemain'>
We wish to advise you that there is a new virus out there that just started making rounds today (26/1/2004). This new worm/virus is called W32/Mydoom@MM and the Security threat rating on this is HIGH. It comes via Email and will have an attachment.

This is a mass-mailing worm that arrives in an email message as follows:


From: (spoofed)
Subject: (Random)
Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

The icon used by the file tries to make it appear as if the attachment is a text file

The attachment is a zip file and will be either document.pif, document.zip, text.zip among others and are about 22 to 33kb in size. Delete these emails without opening them. Virus scanners MAY NOT detect the virus yet as this is a very new one.

This virus has been sending it itself en-mass today. We have seen at least 30 of these emails in just one of our accounts. As well, we have had clients mention that they are receiving emails advising that they have sent a email which is infected. This infact is not correct and infact it is spoofing the email address.

When this file is run it copies itself to the local system with the following filenames:

c:Program FilesKaZaAMy Shared Folderactivation_crack.scr

%SysDir%taskmon.exe

(Where %Sysdir% is the Windows System directory, for example C:WINDOWSSYSTEM)

It also uses a DLL that it creates in the Windows System directory:

%SysDir%shimgapi.dll (4,096 bytes)

It creates the following registry entry to hook Windows startup:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows

CurrentVersionRun "TaskMon" = %SysDir%taskmon.exe

The worm opens a connection on TCP port 3127 suggesting remote access capabilities.

AVERT is currently analyzing this the threat. Details will be posted, as they are available.

Indications of Infection

Upon executing the virus, Notepad is opened, filled with nonsense characters.

Existence of the files and registry entry listed above

Method of Infection

This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.

The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab
adb
tbb
dbx
asp
php
sht
htm
txt

Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses.

Another VERY similar virus is W32.Novarg.A@mm which is a mass-mailing worm and classed as a Category 4 Virus (HIGH) by Symantec. The worm will also arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip. The worm also contains functionality to perform as a proxy server. It listens on all TCP ports in the range 3127-3198. Full details on this virus is available at http://sarc.com/avcenter/venc/data/w32.novarg.a@mm.html


This worm will or expected to perform a DoS starting on February 1, 2004. On February 13, 2004 the worm has a trigger date to stop spreading.

If you use Outlook or Outlook Express, it is highly recommended that you disable the Preview pane as a further precaution against viruses.

Glen Millar
iTec Hosting Services
Systems Administrator
[/b][/quote]

Be careful surfing today....especially with mail

[Glen Millar]

Here is an update

A new Windows virus, called MyDoom (officially, W32/Mydoom@MM) and circulating in the form of a 32K Zip file, began hitting corporate and private e-mail boxes Monday at about 1 p.m. Pacific Standard Time. It masquerades as a Kazaa P2P component and tries to embed itself in the Kazaa shared folder for music and other file-swapping.

The virus, also known as Novarg and Shimgapi, apparently affects only Windows 95 systems and later. Macintosh, Linux, UNIX, Windows 3.X, DOS, and OS/2 systems are not affected.

It was quickly spreading Monday through email and the Kazaa network, the latter of which averages anywhere from 2 million to 5 million users at any given time.

F-Secure, an Internet security software maker based in Finland, came out with a detailed report later Monday afternoon in which it said "the worm opens Notepad with garbage data in it. It also attacks SCO.com with a DDoS-attack."

As of 5:15 p.m. PST, the SCO Group's Web site was up and running despite the threat.

"In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses," Network Associates vice-president Vincent Gullotto told C/net. Network Associates is the maker of McAfee Security antivirus software.

Once the virus is embedded in a computer, it installs a program that allows the computer to be controlled remotely. The PC then starts sending data to the SCO Group's Web server, a Symantec spokesman told C/net. Cupertino, Calif.-based Symantec also published a detailed report.

McAfee posted one of the first analyses of the worm Monday afternoon. The virus package, which contains an infected .pif, .scr, .exe, or .cmd file, is sent from spoofed email addresses. Early on it usurped the names of familiar IT-related sites, including NewsForge.com, The Street.com, PCMag.com, Circuitnet.com, AOL.com, FoxNews.com, BEA.com, and Yahoo.com. The virus takes addresses from an infected machine's Outlook address book.

Some of the infected files come disguised as "Mail Delivery System" messages, or error messages. Often there are no headers on them or type in the message field.

The icon used by the file tries to make it appear as if the attachment is a text file, McAfee says in its description. When the file is run, it copies itself into the computer registry to hook the computer startup. From there it creates a DLL in the Windows system directory and opens a connection on TCP port 3127, suggesting remote access capabilities, McAfee said.

Upon executing the virus, Notepad is opened, filled with nonsense characters. Security experts continue to examine the package.

[Professor Jam]

I've been bombed with almost 100 messages containing this worm...

No open on my end - I never open attachments

Thank You For sharing

[Professor Jam]

Another 82 deleted after my last post....

[DJMC]

I've seen and deleted dozens of them.

Some of the addresses seem to come from the music industry, particularly those who download music.

[Professor Jam]

Just deleted 21 more.... I've been watching the froms and it's covering allot of approaces to trick us.

[HeadlineDJ]

Only had the one..

and my Virus platform was already ready for it [img]style_emoticons/<#EMO_DIR#>/smile.gif[/img]

################################################## ###################################
# Panda Antivirus Platinum warning
# The file message.pif inside: message.zip was infected by the virus W32/Mydoom.A.worm and has been disinfected
################################################## ###################################
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.


Panda is very good, and very under noticed by many.

I have an online scanner if anyone wants to scan their machine to see if it finds anything..

anti virus scanner

Scanner is second icon down in center!

[Jim Casey]

Phil...THANKS for the link to the virus scanner!

I'm proud to say that of 118,023 files, I had zero viruses on my laptop

I must say I have never seen a virus as annoying as this one. I had to delete over 40 just yesterday, 8 this morning

[Glen Millar]

Sophos virus experts have analysed and issued protection against W32/MyDoom-B, a new variant of the MyDoom worm.

The W32/MyDoom-B worm operates in a similar way to its predecessor, travelling via email attachments and the KaZaA file-sharing network. Unlike its predecessor, the worm attempts to stop infected computers from browsing anti-virus websites.

Between 1 February and 1 March 2004, there is a 20% chance that the worm will attempt a denial of service attack against www.sco.com, sending numerous GET requests to the web server. Between 3 February and 1 March 2004 there is a 30% chance that the worm will attempt the same denial of service attack against www.microsoft.com.

"Currently we do not believe that this new variant poses as high a risk as the now infamous original W32/MyDoom-A worm, but we will continue to monitor the situation," said Graham Cluley, senior technology consultant for Sophos. "It seems possible that this new version of the MyDoom worm is written by the same person. If convicted they could face severe punishment by the authorities."

"All internet users should ensure their computers have the latest anti-virus updates and are properly secured behind firewalls," continued Cluley.