w32.norvag.A@mm

[kato2274]

UPDATE DEFINITIONS PEOPLE!!!!

this sucker is on the loose.

the distribution is pretty slick. I got one email today that I recognized as a potential virus complete with .scr attachment. I didn't open it. then later I got another email that said a status message I had sent to a recipient I didn't know had a virus I was to run a scanner or contact my it department the body was supposedly attached. . . . . almost got me.

I did live update on my nav corporate then opened the body.zip file, and as I suspected contained this little bugger which was just discovered today. . . . hope nobody gets hit too hard.

just wanted to give the heads up.

[Stalemate]

Got slapped by this guy yesterday here too.

It spoofs the sender's address, which I think is a first in mass mailer infectors.

Highly original.

Very creative.

It's designer should die.http://forums.windrivers.com/images/...flamethrow.gif


It's also know as MyDoom and MiMail.R. This is what I got:

SUBJECT: Server Report
CONTENT: Mail transaction failed. Partial message is available.
ATT: Readme.zip

Even though I've switched from McAFee to Symantec recently, I must say that I like the Stinger McAfee has produced to zap this guy and a few others (Nachi, Klez, BugBear, Slammer, etc.)

[TripleRLtd]

Yeah, good heads up. This one is big news today...which may be too late for some.http://www.ajc.com/business/content/...04/26worm.html

New e-mail attack spreading rapidly

Associated Press

SAN JOSE, Calif. -- A malicious program attached to seemingly innocuous e-mails is spreading quickly over the Internet, clogging network traffic and potentially leaving hackers an open door to infected personal computers.


The worm, called "Mydoom" or "Novarg" by antivirus companies, usually appears to be an e-mail error message. A small file is attached that, when launched on computers running Microsoft Corp.'s Windows operating systems, can send out 100 infected e-mail messages in 30 seconds to e-mail addresses stored in the computer's address book and other documents.

The attack was first noticed Monday afternoon. Within hours, thousands of e-mails were clogging networks, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

Besides sending out e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.

"As far as I can tell right now, it's pretty much everywhere on the planet," Gullotto said.

Security software experts were scrambling to decrypt the details of the malicious program and were arriving at different conclusions.

Symantec, an antivirus company, said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers.

Network Associates did not find the keylogging program.

The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network. Remote users who download those files and run them could be infected.

[hudsonsmith]

Was getting flooded w/ the buggers until definitions were updated. I am the only smith at the company so any email addressed to smith@____.com was redirected to me, even though thats not my email address. Must be sending itself to random addresses.

[Stalemate]

F-Secure also reports that apart from a backdoor, there is also a DDOS feature just for SCO.

Payload
When the machine is booted after the Sunday 1st of February at 16:09:18 (UTC) (always according to the infected system's clock), the worm will request the main page of the website www.sco.com roughly every second (1024 milliseconds) from each of the infected machines throughout the globe. The request is a simple "GET / HTTP/1.1", aimed to overload their webserver.

[ilovetheusers]

We got wacked too, Fun, Fun.

[noone]

College POP3 seems to be offline here, and after 11 copies got through before the AV was updated, I don't blame them. 2 hours and 12 infected email. Seems SecurityFocus.com lists this as being in one out of every 12 emails right now, no wonder it's getting around.

[kpataska]

UPDATE DEFINITIONS PEOPLE!!!!

this sucker is on the loose.

the distribution is pretty slick. I got one email today that I recognized as a potential virus complete with .scr attachment. I didn't open it. then later I got another email that said a status message I had sent to a recipient I didn't know had a virus I was to run a scanner or contact my it department the body was supposedly attached. . . . . almost got me.

I did live update on my nav corporate then opened the body.zip file, and as I suspected contained this little bugger which was just discovered today. . . . hope nobody gets hit too hard.

just wanted to give the heads up.

We had fun with it here yesterday. Why must people open attachments, especially those that they are not expecting, don't know what they are, etc?!?!?!?

Idiots...

Kenny P.
Visualize Whirled P.'s

[Cleetus]

I really hate this spoofing crap that has been going on with the last 2 virus', even if you are clean, you still get all this crap email and the users won't stop calling, so even if you did your job, you are still busy.

[Miq]

Anyone read up on the version B that came out already?

[Stalemate]

Just adds the added feature of trying to stop infected computers from browsing anti-virus websites.

I'm not even sure if this variant would require a new signature to be cleaned off with the previous version.

[slgrieb]

Really, not a very good piece of programming overall. I mean, if your goal is to do evil and insidious things, your tool shouldn't shout to the world, "Look! I'm a virus! I'm a virus!" after the system is infected.

What amazes me about Novarg, is you have to open the attachment, and most of the messages are pretty suspicious, to say the least. Hell, I have a broker who got a message from a large brokerage firm with the subject " Here's My New Baby Pictures" and he opened the file.

[hudsonsmith]

Was getting flooded w/ the buggers until definitions were updated. I am the only smith at the company so any email addressed to smith@____.com was redirected to me, even though thats not my email address. Must be sending itself to random addresses.

Argh. The flipping thing is now using smith@____.com as a forged "from" address, so now I'm getting all the delivery failure reports too. Plus, although eSafe is stripping the payload, its still passing all the emails. Now I'm trying to get the geniuses who maintain the Notes servers to stop it from redirecting all this cr@p to me. I must have deleted over 50 today.

[Stalemate]

...What amazes me about Novarg, is you have to open the attachment, and most of the messages are pretty suspicious, to say the least. Hell, I have a broker who got a message from a large brokerage firm with the subject " Here's My New Baby Pictures" and he opened the file.

Social engineering at it's finest.

And to think this guy make smore than you do...

[jwhart]

My how things work out for the best! We had an ice storm here in Georgia that has shut down everything since early Monday, no power no heat no internet, nuthin. Finally got a room at Motel 6 w/ internet and heard about this virus and was able to take precautions after the power came back up before the internet did. Thanks for the heads ups fellas.