View Full Version : "My Doom" WORM Virus


Jenya
01-27-2004, 09:47 PM
How many E-mails have you recieved yet from this WORM? It's a Zip file, and it's spreads through your E-mail address book if you open it. If you recieve this WORM- Delete it.

So far I recieved 8 E-mails from this rotten thing. :mad:

robyrob
01-27-2004, 10:52 PM
Originally posted by Jenya
How many E-mails have you recieved yet from this WORM? It's a Zip file, and it's spreads through your E-mail address book if you open it. If you recieve this WORM- Delete it.

So far I recieved 8 E-mails from this rotten thing. :mad: someone that has YOU in their address book is obviously infected, if you arent already :)

Jenya
01-27-2004, 11:03 PM
Originally posted by robyrob
someone that has YOU in their address book is obviously infected, if you arent already :)

You mean SOME PEOPLE. I just checked my Yahoo mail. I got another 2 more WORMS in it (That makes 10). And that's not including the other 5 WORMS in my Cogeco mailbox.

This is nuts. :(

robyrob
01-27-2004, 11:09 PM
Originally posted by Jenya
You mean SOME PEOPLE. I just checked my Yahoo mail. I got another 2 more WORMS in it (That makes 10). And that's not including the other 5 WORMS in my Cogeco mailbox.

This is nuts. :( worms will usually disguise the origin of the sender and depending on how they propagate, it may be busy sending itself off to everything in your address book (in other words, double check your definitions and rescan)

Jenya
01-27-2004, 11:14 PM
Originally posted by robyrob
worms will usually disguise the origin of the sender and depending on how they propagate, it may be busy sending itself off to everything in your address book (in other words, double check your definitions and rescan)

I'll do that. Thanks for your help! :)

pandora_spocks
01-27-2004, 11:46 PM
I just got a couple emails sent back to me stating they couldn't reach so and so, but the weird thing is I never sent any email to the email addresses it listed. Plus, it had the message attached so I'm thinking maybe that could be a virus? :confused:

robyrob
01-27-2004, 11:52 PM
Originally posted by pandora_spocks
I just got a couple emails sent back to me stating they couldn't reach so and so, but the weird thing is I never sent any email to the email addresses it listed. Plus, it had the message attached so I'm thinking maybe that could be a virus? :confused: if it has an attachment and you didnt send it, that would be a good assumption - scan it or delete it ASAP

robyrob
01-28-2004, 12:04 AM
from Symantec (Norton):
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

In addition, the backdoor can download and execute arbitrary files.

The worm will perform a Denial of Service (DoS) starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004.

Distribution Info:

* Subject of email: Varies
* Name of attachment: Varies with an extension of .pif, .scr, .exe, .cmd, .bat, or .zip.
* Size of attachment: 22,258 bytes
* Time stamp of attachment: n/a
* Ports: TCP 3127-3198
* Shared drives: n/a
* Target of infection: n/a

There is a removal tool, and manual removal instructions on the page i've linked above

pandora_spocks
01-28-2004, 12:05 AM
Originally posted by robyrob
if it has an attachment and you didnt send it, that would be a good assumption - scan it or delete it ASAP

i didn't even open it. i just deleted it from my inbox.

Jenya
01-28-2004, 12:07 AM
Originally posted by pandora_spocks
I just got a couple emails sent back to me stating they couldn't reach so and so, but the weird thing is I never sent any email to the email addresses it listed. Plus, it had the message attached so I'm thinking maybe that could be a virus? :confused:

I just go off the phone with my friend, and this is what he told me to do:

If you're not sure if you are infected with the virus, you can download the symantec W32.Novarg.A@mm Removal Tool (http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.removal.tool.html). Just follow the instructions (Print them out first), then when you run the program, it will detect to see if the virus is in your computer, and it will automatically terminate it for you.

After it's done, re-boot your computer and run the program one more time, to make sure the virus is destroyed. You may also need to restore your Active Desktop when it's done.

It doesn't take long to do. Maybe five minutes at the most.

robyrob
01-28-2004, 12:09 AM
of course the website that it is performing the DoS attack on is SCO, so you may want to participate in it :)

TJ
01-29-2004, 06:02 AM
I would estimate I've received over 5000 of these virus mails. It is certainly bigger and spread faster then the Klez or Nimda virus. The bad part of this one it spoofs e-mail addresses so I am getting them from every possible combination of address like bob@sitcomsonline.com

Rhiannon
01-29-2004, 11:28 AM
I haven't gotten any yet, luckily

Rebel Queen 1980
01-30-2004, 01:55 AM
Ooh that's bad!,I check my email everyday,but I know
when it's spam or anything else I don't recognize it I just
deleted it,Have been lucky so far too!

robyrob
02-01-2004, 02:12 PM
Originally posted by robyrob
of course the website that it is performing the DoS attack on is SCO, so you may want to participate in it :) http://www.linuxstolescocode.com/

Brent88
02-01-2004, 02:53 PM
Originally posted by Vera Wang
I haven't gotten any yet, luckily

Mine went into Junk Mail automatically and I deleted it from there, I can usually tell if something is junk or not, I usually just delete all that automatically. I have gotten a scam email however that I want to advise everyone about... it will tell you your bank accounts have been frozen and that you are under investigation for violating the Patriot act. It tries to get you to give all personal info, DON'T DO IT! I didn't do it, but I did open the email and then deleted it because I knew it wasn't anything important. They have had some people who don't know any better give out account info and stuff like that.

I also have virus scans on my computer, so I'm pretty sure I am virus-free. :)

Jenya
02-02-2004, 10:10 PM
Microsoft Braces For Mydoom Onslaught Tuesday

CANADIAN PRESS (http://www.cp.org/)

Monday Febuary 02, 2004

VANCOUVER, BC — The success of an e-mail computer virus in flooding a U.S. tech firm's website Sunday has software giant Microsoft Corp. bracing for an expected attack Tuesday against its sites.

The Mydoom.a virus — also known as Novarg.a — spread through thousands of so-called zombie computers and effectively crippled Utah-based SCO Group's site.

A variant of the virus, Mydoom.b, is set to attack Microsoft's main web site Tuesday.

Experts speculate the attacks originate with disgruntled supporters of Linux, an operating system seen as challenging Microsoft's dominance. SCO has made proprietary claims on aspects of Linux.

Microsoft is working with partners who provide anti-virus protection, Stephen Toulouse, Microsoft security program manager, said Monday.

"We're also taking preventative steps to help ensure that our properties remain available to our customers," he said from the company's headquarters in Redmond, Wash.

The company, a favoured target of hackers because its operating systems and software run most of the world's computers, is defiant.

"I think it's a sense of determination," said Toulouse. "We view it as we're not going to let this happen and we're going to protect our customers."

Toulouse would not detail what countermeasures Microsoft has put in place for fear of helping the hackers who unleashed the worm-type virus.

Like Novarg.a, Mydoom.b is programmed to infect vulnerable computers when the user opens a supposedly innocent e-mail attachment, then e-mail itself to everyone in the computer's address book.

It also installs a secret opening that on Tuesday turns the infected computer into a zombie for flooding on Microsoft.com and related sites — a so-called distributed denial-of-service attack.

Toulouse said people with infected computers unable to access Microsoft Update to download software patches can still get help at https://information.microsoft.com.

News of the Novarg and Mydoom attacks surfaced last week as anti-virus software providers such as Symantec and Network Associates put out alerts after being deluged with reports from their customers.

SCO and Microsoft each have offered $250,000 US rewards for information leading to the arrest and conviction of Mydoom's creator.

Antivirus vendors reacted quickly by providing updates to their customers. The worms initially spread at astounding speed but slowed appreciably by Monday.

Symantec, which sells Norton antivirus products, rates Mydoom.b's threat level at only 2 out of 5 — second lowest — because of the early attention given to Novarg.a.

"In that two days most people's defences are increased, due in part to I think the awareness that people have out there, but also the awareness that's created by the media," said Michael Murphy, Symantec's Canadian general manager.

However, a computer security researcher warned that many personal computer users, as well as businesses, still don't take viruses seriously enough.

"People are either not willing to update their software or reluctant to go and search for new updates," said Prof. Hasan Cavusoglu of the Sauder Business School at the University of British Columbia.

Most antivirus programs allow for automatic updates via the Internet. But some users still opt for manually updating their security packages, which can leave them vulnerable if they're not diligent, he said.

That's especially true of technicians running corporate networks, said Cavusoglu, because they're unsure of how the updates might affect their various systems.

"System administrators generally do not update patches immediately unless they feel it is very necessary and it doesn't create any other problem in their systems," he said.

Murphy said corporations tend to focus their protective efforts on individual desktop computers and their in-house mail servers, backed by warnings to employees about opening unknown e-mail attachments.

That works to a point, he said, but still leaves them open to disruption from viruses such as Mydoom and Novarg that trigger floods of e-mails.

Murphy said some of Symantec's Canadian clients reported being inundated by unsolicited e-mails from infected customers and partners, slowing their mail servers to a crawl.

The solution, he said, is to have a separate gateway and filtering system before the e-mails reach corporate servers.

The problem is especially acute for smaller companies that don't have full-time computer security staff, he said, nothing the vast majority of Canadian businesses have less than 100 employees.

"It's a good opportunity for resellers to provide a security service where the expertise lacks inside of an organization," said Murphy.

Cavusoglu also warned that under-rating Internet security threats can have a hidden cost.

A study he co-authored last year found firms that announced security breeches lost an average 2.1 per cent of their market value — about $1.65 billion in market capitalization — within two days.

"People have to understand how much (information technology) security investment they have to make," he said.

"If they are looking only at the tangible aspect of the damage, they may under-invest. They also have to look at the intangible aspect, the market reaction, et cetera."

Murphy said Symantec this year forecasts three or four level 4 attacks this year and an level 3 attacks on average once a month.

While response times are improving, experts say the hackers are just as quick to adjust their tactics.

Mydoom and Novarg, for instance, utilized "social psychology" by making it appear the e-mails were from someone the recipient knew or might trust, said Murphy.

Cavusoglu also noted that for the first time the worm was buried in a text or .txt file after years of warnings that people shouldn't open unknown executable or .exe files.

"This is going to be an arms race," he said. "We will see this cycle over and over."