UPDATE DEFINITIONS PEOPLE!!!!

this sucker is on the loose. (http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html)

the distribution is pretty slick. I got one email today that I recognized as a potential virus complete with .scr attachment. I didn't open it. then later I got another email that said a status message I had sent to a recipient I didn't know had a virus I was to run a scanner or contact my it department the body was supposedly attached. . . . . almost got me.

I did live update on my nav corporate then opened the body.zip file, and as I suspected contained this little bugger which was just discovered today. . . . hope nobody gets hit too hard.

just wanted to give the heads up.

Got slapped by this guy yesterday here too.

It spoofs the sender's address, which I think is a first in mass mailer infectors.

Highly original.

Very creative.

It's designer should die.http://forums.windrivers.com/images/smilies/flamethrow.gif


It's also know as MyDoom and MiMail.R. This is what I got:

SUBJECT: Server Report
CONTENT: Mail transaction failed. Partial message is available.
ATT: Readme.zip
Even though I've switched from McAFee to Symantec recently, I must say that I like the Stinger (http://vil.nai.com/vil/stinger/) McAfee has produced to zap this guy and a few others (Nachi, Klez, BugBear, Slammer, etc.)

Yeah, good heads up. This one is big news today...which may be too late for some.http://www.ajc.com/business/content/business/0104/26worm.html

New e-mail attack spreading rapidly

Associated Press

http://m3.doubleclick.net/viewad/ (http://ad.doubleclick.net/click;h=v2%7C309f%7C0%7C0%7C%2a%7Ck;44306;0-0;0;8031412;11222-300%7C1;0%7C0%7C0;;%3f)SAN JOSE, Calif. -- A malicious program attached to seemingly innocuous e-mails is spreading quickly over the Internet, clogging network traffic and potentially leaving hackers an open door to infected personal computers.


The worm, called "Mydoom" or "Novarg" by antivirus companies, usually appears to be an e-mail error message. A small file is attached that, when launched on computers running Microsoft Corp.'s Windows operating systems, can send out 100 infected e-mail messages in 30 seconds to e-mail addresses stored in the computer's address book and other documents.

The attack was first noticed Monday afternoon. Within hours, thousands of e-mails were clogging networks, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

Besides sending out e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.

"As far as I can tell right now, it's pretty much everywhere on the planet," Gullotto said.

Security software experts were scrambling to decrypt the details of the malicious program and were arriving at different conclusions.

Symantec, an antivirus company, said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers.

Network Associates did not find the keylogging program.

The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network. Remote users who download those files and run them could be infected.

Was getting flooded w/ the buggers until definitions were updated. I am the only smith at the company so any email addressed to smith@____.com was redirected to me, even though thats not my email address. Must be sending itself to random addresses.

F-Secure also reports that apart from a backdoor, there is also a DDOS feature just for SCO.


Payload
When the machine is booted after the Sunday 1st of February at 16:09:18 (UTC) (always according to the infected system's clock), the worm will request the main page of the website www.sco.com roughly every second (1024 milliseconds) from each of the infected machines throughout the globe. The request is a simple "GET / HTTP/1.1", aimed to overload their webserver.

We got wacked too, Fun, Fun.

College POP3 seems to be offline here, and after 11 copies got through before the AV was updated, I don't blame them. 2 hours and 12 infected email. Seems SecurityFocus.com lists this as being in one out of every 12 emails right now, no wonder it's getting around.

UPDATE DEFINITIONS PEOPLE!!!!

this sucker is on the loose. (http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html)

the distribution is pretty slick. I got one email today that I recognized as a potential virus complete with .scr attachment. I didn't open it. then later I got another email that said a status message I had sent to a recipient I didn't know had a virus I was to run a scanner or contact my it department the body was supposedly attached. . . . . almost got me.

I did live update on my nav corporate then opened the body.zip file, and as I suspected contained this little bugger which was just discovered today. . . . hope nobody gets hit too hard.

just wanted to give the heads up.

We had fun with it here yesterday. Why must people open attachments, especially those that they are not expecting, don't know what they are, etc?!?!?!?

Idiots...

Kenny P.
Visualize Whirled P.'s

I really hate this spoofing crap that has been going on with the last 2 virus', even if you are clean, you still get all this crap email and the users won't stop calling, so even if you did your job, you are still busy.

Anyone read up on the version B that came out already?

Just adds the added feature of trying to stop infected computers from browsing anti-virus websites.

I'm not even sure if this variant would require a new signature to be cleaned off with the previous version.

Really, not a very good piece of programming overall. I mean, if your goal is to do evil and insidious things, your tool shouldn't shout to the world, "Look! I'm a virus! I'm a virus!" after the system is infected.

What amazes me about Novarg, is you have to open the attachment, and most of the messages are pretty suspicious, to say the least. Hell, I have a broker who got a message from a large brokerage firm with the subject " Here's My New Baby Pictures" and he opened the file.

Was getting flooded w/ the buggers until definitions were updated. I am the only smith at the company so any email addressed to smith@____.com was redirected to me, even though thats not my email address. Must be sending itself to random addresses.

Argh. The flipping thing is now using smith@____.com as a forged "from" address, so now I'm getting all the delivery failure reports too. Plus, although eSafe is stripping the payload, its still passing all the emails. Now I'm trying to get the geniuses who maintain the Notes servers to stop it from redirecting all this cr@p to me. I must have deleted over 50 today.

...What amazes me about Novarg, is you have to open the attachment, and most of the messages are pretty suspicious, to say the least. Hell, I have a broker who got a message from a large brokerage firm with the subject " Here's My New Baby Pictures" and he opened the file.


Social engineering at it's finest.

And to think this guy make smore than you do... http://forums.windrivers.com/images/smilies/rolleyes.gif

My how things work out for the best! We had an ice storm here in Georgia that has shut down everything since early Monday, no power no heat no internet, nuthin. Finally got a room at Motel 6 w/ internet and heard about this virus and was able to take precautions after the power came back up before the internet did. Thanks for the heads ups fellas.

So far, we haven't gotten hit by any virus. I manage a mid size multi-location company, but there are only about 20 people on PC's connected to the internet. I'm running Norton Corporate.

However, the problem I keep having, is this.

One of our users apparently is in the address book of an infected computer with SoBig, I believe. He called me when he kept getting mail delivery errors from random AOL accounts he had never heard of, or sent mail to. So, I thought the virus was on his machine. 3 scans and a SoBig removel tool later, I realized that his machine was not infected. Someone who had my users address in his address book was infected. So, the infected guy was sending emails that were being spoofed to look like they were coming from my user.

So now, due to the rampant spreading of traffic and viral e-mail that "seems" to be coming from my user, AOL and AT&T are rejecting any e-mail from my domain. And let me tell you, it's a royal pain in the @$$ to get off of a blacklist like that.

So far, we haven't gotten hit by any virus. I manage a mid size multi-location company, but there are only about 20 people on PC's connected to the internet. I'm running Norton Corporate.

However, the problem I keep having, is this.

One of our users apparently is in the address book of an infected computer with SoBig, I believe. He called me when he kept getting mail delivery errors from random AOL accounts he had never heard of, or sent mail to. So, I thought the virus was on his machine. 3 scans and a SoBig removel tool later, I realized that his machine was not infected. Someone who had my users address in his address book was infected. So, the infected guy was sending emails that were being spoofed to look like they were coming from my user.

So now, due to the rampant spreading of traffic and viral e-mail that "seems" to be coming from my user, AOL and AT&T are rejecting any e-mail from my domain. And let me tell you, it's a royal pain in the @$$ to get off of a blacklist like that.
nice http://forums.windrivers.com/images/smilies/rolleyes.gifhttp://forums.windrivers.com/images/smilies/sad2.gif

So far, we haven't gotten hit by any virus. I manage a mid size multi-location company, but there are only about 20 people on PC's connected to the internet. I'm running Norton Corporate.

However, the problem I keep having, is this.

One of our users apparently is in the address book of an infected computer with SoBig, I believe. He called me when he kept getting mail delivery errors from random AOL accounts he had never heard of, or sent mail to. So, I thought the virus was on his machine. 3 scans and a SoBig removel tool later, I realized that his machine was not infected. Someone who had my users address in his address book was infected. So, the infected guy was sending emails that were being spoofed to look like they were coming from my user.

So now, due to the rampant spreading of traffic and viral e-mail that "seems" to be coming from my user, AOL and AT&T are rejecting any e-mail from my domain. And let me tell you, it's a royal pain in the @$$ to get off of a blacklist like that.

I'm in the same boat (as far as the spoofed headers, not the blacklist). Don't know how effective its been, but I've been doing searches on the originating IP and complaining to the isp. If the moron can't be bothered to clean the infection, let him get shut down.

Was wondering.

The virus is supposed to come by email and install code to be activated later to send out email.

Question is: what harm does it do to the infected system? So, if I get infected what sort of damage will occur to my machine.

Can the virus just be cleaned by a virus program ?

OH, by the way .....yes my virus definations are up to date .....

By the time specific signatures were issued to detect and remove this virus, it had already started propagating.

It tries to send itself out so fast that it slows down local PCs and bogs down e-mail servers.

We used the McAfee Stinger (http://vil.nai.com/vil/stinger/) tool to check local machines suspected of infection while AV updates were being deployed, but in all only 3 users had opened the attachments. Even then, 265 instances had to be cleaned off the Exchange server.

The U.S. Department of Homeland Security just created the National Cyber Alert System to get the word about these things out faster.

I started a thread under "Security" with a link to their site.

We almost got ahead of this one at work. McAfee EPO pushed out the new Dats to around 600 machines, but skipped the other 1200. We had the problem resolved fairly quickly though and only ended up with a handful of infections.

MSBlast was a real wakeup call, the steps we took afterwards paid off on this one.

Hi there,

I don't open any attaches files, virus or not. :) However, right now, Norton and McAfee (or any anti-virus software you ened to pay for) are sure making a large sum of cash preying on the fears of users.

Even the Future Shop website took advantage of it.

Ju Leon...

I have a file Windows/System/Shimgapi.dll that says it is infected but it will not clean it or delete it. I went to find the file myself and it is not there. Does anyone have any suggestions? :rolleyes:

"Shimgapi.dll is a proxy-server; the worm opens a TCP port between 3127 and 3198 on the infected machine in order to receive commands. The backdoor function allows the creator of the worm to gain full access to the system. In addition to this, the backdoor can execute random files downloaded from the Internet. "

make sure your computer is set to show hidden files and folders as well as system files and then look again..you may have to delete this one in safe mode

First kill the registry key so its not loaded (even in safe mode) then reboot, then you can delete it.

W32.Novarg.A@mm Removal Tool (http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.removal.tool.html) It's from Symantec...makers of Norton Anti-Virus products.

Hope this works for all of you...let us know.

The removal tool works fine, if you follow the instructions. I have only had to do a handful of removals for Novarg/MyDoom, so perhaps I finally have most of my customers listening to me when I talk about security. Or maybe I'm just lucky.

Anyway, as I said earlier, this worm is merely prolific, not great programming. When your system is infected, it is too obvious, too easy to remove, and doesn't do enough damage to get into the Hall of Fame.

I think the relevant comment is: "Nothing can be made fool-proof because the ingenuity of fools is limitless."

Well, reading thru this thread has answered a problem that's been bugging me since last week as I too received one of these Spoofed Header "returned mails" and was thinking I had a virus although AVG and Housecall found nothing and and system is also clean of ad/spyware and trojans. Also searching my harddrive for suspicious file activity I couldn't find anything.

I still have the email in my inbox for personal reference however. I just happened to be scanning this thread as I was just on the phone with my sister's boyfriend who got his computer all screwed up after trying to clean up a Mydoom infection on his own (he has no computer skills whatsoever). As I received the spoofed email last Tuesday, the 27th, which was just as this virus was gaining momentum, it appears I found the source in his infected computer with my email in his addressbook.

Now I just gotta see if I can walk him thru cleaning the virus from his system, and cleaning up the mess he made by installing McAfee while having Norton already installed when he calls me tomorrow. I hate doing support over the phone with someone who knows nothing about computers.....left that job 5 years ago :P


You guys are still my favorite!
DSTech (still a lurker here)
<<Editted for icky formatting>>