| Author |
Message |
    
monster
Citizen
Username: Monster
Post Number: 101
Registered: 7-2002
| | Posted on Tuesday, January 27, 2004 - 12:43 am: |     |
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
there is a new virus that was logged today, well yesterday, that is spreading fast, this is an email virus. Below is the info from McAfee, http://us.mcafee.com/virusInfo/default.asp?id=mydoom
Virus Characteristics
This is a mass-mailing worm that arrives in an email message as follows:
From: (spoofed)
Subject: (Random)
Body: (Varies, such as)
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* The message contains Unicode characters and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.
Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)
The icon used by the file tries to make it appear as if the attachment is a text file.
When this file is run it copies itself to the local system with the following filenames:
* c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
* %SysDir%\taskmon.exe
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It also uses a DLL that it creates in the Windows System directory:
It also uses a DLL that it creates in the Windows System directory:
* %SysDir%\shimgapi.dll (4,096 bytes)
It creates the following registry entry to hook Windows startup:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
The worm opens a connection on TCP port 3127 suggesting remote access capabilities.
AVERT is currently analyzing this the threat. Details will be posted, as they are available.
Indications of Infection
* Upon executing the virus, Notepad is opened, filled with nonsense characters.
* Existence of the files and registry entry listed above
Method of Infection
This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.
The mailing component harvests address from the local system. Files with the following extensions are targeted:
* wab
* adb
* tbb
* dbx
* asp
* php
* sht
* htm
* txt
Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses.
Removal Instructions
The following EXTRA.DAT packages are available.
* EXTRA.DAT
http://a64.g.akamai.net/7/64/2015/2004-01-25-06-/download.nai.com/products/mcafe e-avert/100983b.zip
* SUPER EXTRA.DAT
http://a64.g.akamai.net/7/64/2015/2004-01-25-06-/download.nai.com/products/mcafe e-avert/sdat100983b.exe
Aliases
Novarg (F-Secure), W32.Novarg.A@mm (Symantec), Win32/Shimg (CA), WORM_MIMAIL.R (Trend)
|
Brett
Citizen
Username: Bmalibashksa
Post Number: 630
Registered: 7-2003
| | Posted on Tuesday, January 27, 2004 - 8:21 am: | |
It looks like this when you open it. There is a lot more but if you see this in your email I would cross your fingers.
FILETIME=[1A2FDA70:01C3E36D]
--cckujvn_1075054003
Content-Type: application/hta; name="page.hta"
Content-Transfer-Encoding: base64
PGh0bWw+Cgo8c2NyaXB0IGxhbmd1YWdlPSJWQlNjcmlwdCI+IAoKc3pCaW5hcnkgPSAiNEQ1
QTkwMDAwMzAwMDAwMDA0MDAwMDAwRkZGRjAwMDBCODAwMDAwMDAwMDAwMDAwNDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwRTAwMDAwMDAwRTFGQkEwRTAwQjQwOUNEMjFCODAxNENDRDIxNTQ2ODY5NzMy
MDcwNzI2RjY3NzI2MTZEIgpzekJpbmFyeSA9IHN6QmluYXJ5ICYgIjIwNjM2MTZFNkU2Rjc0
I opened this on a protected machine so no one in the office got it. It’s kind of a hobby of mine taking these apart and seeing how they tick.
|
Nohero
Citizen
Username: Nohero
Post Number: 2814
Registered: 10-1999
| | Posted on Tuesday, January 27, 2004 - 10:51 am: | |
I don't know if it's the same one, but the IT people at my place just sent out this message:You may receive an email addressed to your email address or to your webmail (Yahoo, Hotmail, etc.) with a subject line like "Mail Delivery System" and "Mail Transaction Failed" and/or it may have attachments such as ".exe," ".scr," ".cmd," ".zip" or ".pif" extensions. DO NOT OPEN THE EMAIL OR THE ATTACHMENT. Currently, the internet and webmail are being flooded by a fast-spreading e-mail worm that looks like a normal error message but actually contains a malicious program that spreads itself and installs a program that leaves an open door to infected computers.
This worm has a bunch of names: MyDoom, Novarg and Shimgapi. It can also change its name to subject lines such as "hello," "test" and "what are you up to?" If you receive an email from an individual or firm that you don't recognize or expect please exercise caution and do not open the mailing. Instead, contact the IT Support Center for advice if you have any doubts about the authenticity of any email that you receive.
Once a workstation is infected, the worm will start to generate emails from the infected PC by using the addresses found in the infected PC's email address book. The program selects a random recipient and a random sender name from the address book for the "to" and "from" fields, hence the reason why several users received "delivery failure" messages for emails that they did not send. Basically, the delivery failure messages are harmless and users should ignore and delete them. |
NCJanow(akaLibraryLady)
Citizen
Username: Librarylady
Post Number: 1168
Registered: 5-2001
| | Posted on Tuesday, January 27, 2004 - 11:35 am: | |
You coiuldn't have posted this yesterday before I got the email virus (from the email of someone I only know via MOL). Ouch. I didn't open the attachment but I did open the email. Does this mean someone can now get my passwords and credit card if if I was so dumb to enter it online?
My husband got multiple copies of the emails but his antivirus program at nJIT seems to have caught them.
NCJ aka LibraryLady
On a coffee break..or something like it. |
eliz
Citizen
Username: Eliz
Post Number: 688
Registered: 5-2001
| | Posted on Tuesday, January 27, 2004 - 1:58 pm: | |
I recvd it today but I have a mac so I presume I'm ok. Nancy, I hope it wasn't me! (at least I don't think it could be since I have a mac?). |
Brett
Citizen
Username: Bmalibashksa
Post Number: 631
Registered: 7-2003
| | Posted on Tuesday, January 27, 2004 - 2:05 pm: | |
You can pass it along from a MAC, but the MAC would not be infected. |
Dave
Citizen
Username: Dave
Post Number: 6226
Registered: 4-1998
| | Posted on Tuesday, January 27, 2004 - 2:07 pm: | |
How can it pass from a Mac? Other than forwarding it manually? Does it have a hook into Entourage or (Apple) Mail? |
Brett
Citizen
Username: Bmalibashksa
Post Number: 632
Registered: 7-2003
| | Posted on Tuesday, January 27, 2004 - 2:16 pm: | |
It can't.
You're right you would have to forward it manually.
It can attach itself to any mail that it's bundled with in a POP3 server though. So it may look as if you sent it but it never got to your computer.
|
mem
Citizen
Username: Mem
Post Number: 2697
Registered: 5-2001
| | Posted on Wednesday, January 28, 2004 - 12:25 pm: | |
How does this virus work? I have it, because I keep getting the emails that I don't open attachments to, I just delete them. |
barbara wilhelm
Citizen
Username: Bartist
Post Number: 130
Registered: 1-2003
| | Posted on Wednesday, January 28, 2004 - 12:41 pm: | |
Why are Macs not affected by the virus? |
Dave
Citizen
Username: Dave
Post Number: 6234
Registered: 4-1998
| | Posted on Wednesday, January 28, 2004 - 1:21 pm: | |
Virus creators are thrill seekers and there's no excitement in ruining the lives of only 4 percent of computer users, most of which aren't used in businesses. |
NCJanow(akaLibraryLady)
Citizen
Username: Librarylady
Post Number: 1176
Registered: 5-2001
| | Posted on Wednesday, January 28, 2004 - 3:47 pm: | |
I am actually getting two different types of emails. One is from someone(usually unrecognizable name) with an attachment and the subject line test or hi or black.
But I am also getting returned mail from addresses I never sent anything to, returning infected messages.
What do I do now!??
NCJ aka LibraryLady
On a coffee break..or something like it. |
Nohero
Citizen
Username: Nohero
Post Number: 2825
Registered: 10-1999
| | Posted on Wednesday, January 28, 2004 - 3:55 pm: | |
The real computer experts may correct me, but I think that if you did not execute the file attached to your suspect e-mail, you should be okay.
As for why you are getting "returned messages" which you don't think you sent, that may not be your fault. According to the warning I received: "The program selects a random recipient and a random sender name from the address book for the 'to' and 'from' fields, hence the reason why several users received 'delivery failure' messages for emails that they did not send." So, that would mean that someone who has your email address has an infected computer, which is sending out messages which it "pretends" are from you.
I've received similar return messages, even before receiving any suspect emails. And THAT'S the really frustrating part. |
Dave
Citizen
Username: Dave
Post Number: 6237
Registered: 4-1998
| | Posted on Wednesday, January 28, 2004 - 4:11 pm: | |
20 Years (nearly) Virus Free. Happy Birthday, Mac.
 |
monster
Citizen
Username: Monster
Post Number: 102
Registered: 7-2002
| | Posted on Thursday, January 29, 2004 - 1:00 am: | |
I hear ya' Dave
  |
Tom Reingold
Citizen
Username: Noglider
Post Number: 1920
Registered: 1-2003
| | Posted on Thursday, January 29, 2004 - 3:08 pm: | |
Barbara, Macs are usually not affected because the viruses are software designed specifically to run on PC's. Software runs on one type of computer but not another, generally speaking. The fact that you can buy something like Word, for example, doesn't mean that it runs on both computers. Those are re-writes (or recompiles, but never mind that.) It's a grand illusion that stuff runs on more than one type. There are exceptions, such as web pages and java, but never mind that either. The point is that viruses are machine-specific.
Tom Reingold the prissy-pants
There is nothing
|
Phil
Citizen
Username: Barleyrooty
Post Number: 741
Registered: 5-2001
| | Posted on Thursday, January 29, 2004 - 10:42 pm: | |
Macs are OK. If you didn't open the attachment you're OK.
To be extra sure you should have anti-virus software that's new and updated with the latest "virus definition" files from the vendor's website. (e.g. symantec (norton) or network associates (mcafee)). microsoft is also offering free anti-virus software here: http://www.my-etrust.com/microsoft/index.cfm?
Also be aware that this virus picks a random email address from the victim's machine, and then sends itself out as email "from" that email address. So the person you think is infected, probably isn't.
This happened to me - I'm getting 5 or 6 emails a day saying that my emails are full of viruses - I know I'm not infected and they are from people who's email addresses I don't even have. Someone's machine is pretending to be me!
|
bets
Citizen
Username: Bets
Post Number: 480
Registered: 6-2001
| | Posted on Friday, January 30, 2004 - 12:01 am: | |
I'm getting about the same volume.
Please note that the A variant of this worm opens a backdoor on your computer, and should be removed. See F-Prot's website at http://www.f-prot.com/virusinfo/descriptions/mydoom_a.html
(NOTE: This only applies if your system has actually been infected. Spoof emails are not indications that your computer has the virus.) |
Dave
Citizen
Username: Dave
Post Number: 6260
Registered: 4-1998
| | Posted on Friday, January 30, 2004 - 9:38 am: | |
The FBI recommends using a Mac.
quote:[the FBI agent said] many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box.
http://www.securityfocus.com/cgi-bin/sfonline/columnists-item.pl?id=215 |
Closed: New threads not accepted on this page